North Korean hackers are actively exploiting popular developer platforms like npm, GitHub, and Vercel as part of a sophisticated campaign dubbed “Contagious Interview.” The goal is to distribute a potent malware known as OtterCookie, targeting software developers worldwide and compromising their development workflows. This operation highlights the evolving tactics of state-sponsored actors in the contemporary cybersecurity landscape.
Since early October 2025, researchers have identified a significant surge in malicious npm packages, with at least 197 new ones discovered. These compromised packages have already seen over 31,000 downloads, indicating a widespread potential impact. The attack chain meticulously integrates into standard development practices, making it particularly insidious as developers often expect code execution during package installation.
North Korean Hackers Exploit Development Ecosystem for OtterCookie Malware
The “Contagious Interview” campaign employs a multi-stage supply chain attack strategy. Threat actors create fake developer profiles on GitHub, publish npm packages designed to trick developers through typosquatting, and utilize Vercel hosting services to stage their malicious payloads. When unsuspecting developers install these poisoned npm packages, an automated post-installation script executes, silently reaching out to attacker-controlled servers to download and run the latest version of the OtterCookie malware.
Security analysts at Socket.dev, who unearthed this operation, detailed the well-orchestrated infrastructure behind the campaign. For instance, a package named “tailwind-magic,” designed to mimic the legitimate “tailwind-merge” library, was traced back to a GitHub account named “stardev0914” and a Vercel staging endpoint, “tetrismic.vercel.app.” This account hosted at least 18 repositories, many themed around cryptocurrency projects, serving as both decoys and delivery mechanisms.
At least five core malicious packages, including “node-tailwind” and “react-modal-select,” were found to route through this specific infrastructure. The malware itself, OtterCookie, is described as a versatile infostealer and remote access trojan with cross-platform compatibility, capable of infecting Windows, macOS, and Linux systems. Its initial execution within a Node.js process includes checks for virtual machines and sandboxed environments, a tactic aimed at evading security researchers and analysts.
Infection and Persistence Mechanisms of OtterCookie
The infection vector leverages a postinstall script embedded within malicious npm packages. This script is triggered when a developer runs `npm install`. It then contacts the attacker’s endpoint, `https://tetrismic.vercel.app/api/ipcheck`, using the axios library. The response from this server includes JavaScript code within a JSON field labeled “model.” This code is subsequently executed using `eval` within the victim’s Node.js process, granting the attackers elevated privileges and enabling arbitrary code execution.
The staging server hosting the malware payload is reportedly updated continuously, allowing threat actors to rotate malware variants and tailor their attacks to specific targets. Once deployed on a victim’s machine, OtterCookie establishes persistence through several methods. On Windows, it creates a scheduled task named “NodeUpdate” that runs at logon with elevated privileges and adds registry entries under `HKCURunNodeHelper` to ensure its relaunch.
The malware operates by spawning three detached Node.js worker processes using `child_process.spawn`. These processes are configured to ignore standard input/output and hide their windows, allowing them to run discreetly in the background even after the initial loader script exits. This multi-process approach enhances its stealth and resilience.
OtterCookie’s data harvesting capabilities are extensive. It performs system-wide keylogging, captures screenshots from all connected monitors every five seconds, and exfiltrates clipboard contents. Furthermore, it recursively scans the file system for sensitive files typically containing credentials and wallet information, such as those with “.env,” “metamask,” “phantom,” and “seed” in their names.
The malware specifically targets browser profiles of Chrome and Brave browsers across all operating systems, accessing stored login credentials by querying the browsers’ “Login Data” SQLite databases. A significant focus is placed on cryptocurrency wallet extensions, with OtterCookie capable of identifying and extracting data from at least 42 different browser wallet extensions, including popular ones like MetaMask, Phantom, and Keplr. This makes it a particularly dangerous threat to Web3 developers.
All exfiltrated data is transmitted to the command and control infrastructure, identified at IP address 144.172.104.117. This central infrastructure not only handles data collection but also allows threat actors to issue remote commands, maintaining continuous interactive shell access to compromised systems.
The ongoing discovery of new malicious packages and evolving tactics by these North Korean-backed threat actors underscore the persistent risks within the open-source software supply chain. Developers and organizations are advised to implement stringent security measures, including dependency scanning and careful vetting of third-party libraries, to mitigate the potential impact of such sophisticated attacks.