501/68 Tuesday, December 2, 2025
Security researchers at Socket have issued a warning after uncovering a major expansion of the “Contagious Interview” campaign, which is linked to a North Korean state-backed threat group. The attackers have uploaded over 197 malicious npm packages into the developer ecosystem, using them to distribute a new malware family dubbed “OtterCookie.” The campaign continues to target software developers-particularly those working in crypto, Web3, and blockchain-across Windows, Linux, and macOS. The malicious packages have already been downloaded more than 31,000 times.
The attackers rely heavily on social engineering, posing as recruiters on LinkedIn to lure victims into fake job interviews or assign what appear to be normal technical assessments. In reality, these tasks contain embedded malicious code. Recent activity includes typosquatting packages, such as “tailwind-magic”, designed to resemble legitimate libraries like “tailwind-merge”. Once installed, the package executes scripts that fetch payloads from attacker-controlled infrastructure hosted on GitHub (account: stardev0914) and Vercel, helping to evade detection before connecting to a command-and-control (C2) server to begin data exfiltration.
The delivered malware, OtterCookie, functions as a combined Remote Access Tool (RAT) and Infostealer. It first checks whether the victim’s machine is a real device or a VM/sandbox. If it detects a real system, it initiates several malicious activities, including:
- Stealing clipboard data
- Keylogging
- Screenshot capture
- Harvesting saved passwords
- Extracting crypto wallet data from browser extensions
Additionally, research from NVISO indicates that, in mid-November, the threat actors shifted tactics by using JSON storage services (such as JSON Keeper and npoint.io) to deliver malware payloads, demonstrating constant adaptation to bypass detection and compromise development environments.
This campaign underscores the increasing sophistication of attacks targeting developers and the global digital asset ecosystem, as threat actors aim to steal sensitive data and cryptocurrency assets worldwide.
