North Korea-linked actors behind Contagious Interview uploaded 197 new malicious npm packages to distribute a new OtterCookie malware version.

North Korea-linked threat actors added 197 new malicious npm packages to spread updated OtterCookie malware as part of the ongoing Contagious Interview campaign, cybersecurity firm Socket warns.

The Contagious Interview campaign, active since November 2023 and linked to North Korea, targets software developers on Windows, Linux, and macOS. The attackers focus on developers working in crypto and Web3. Attackers pose as recruiters on platforms like LinkedIn and use social engineering tactics, including fake job interviews and trojanized demo projects, to deliver malware. Their payloads commonly include the BeaverTail and OtterCookie infostealers and the InvisibleFerret RAT.

The Contagious Interview campaign keeps expanding in the npm ecosystem, with nation-state actors adding 197 more malicious packages and over 31,000 downloads. “Since we last reported on this campaign, it has added at least 197 more malicious npm packages and over 31,000 additional downloads, with state-sponsored threat actors targeting blockchain and Web3 developers through fake job interviews and \u201ctest assignments\u201d.” reads the report published by Socket.

In mid-November, North Korea-linked actors behind the Contagious Interview campaign have updated their tactics, using JSON storage services (e.g. JSON Keeper, JSONsilo, and npoint.io) to host and deliver malware through trojanized code projects, according to a new NVISO report.

To read the complete article see: Security Affairs