North Korean Hackers Deploy 197 npm Packages to Spread Updated OtterCookie Malware

North Korean Hackers Deploy 197 npm Packages to Spread Updated OtterCookie Malware

North Korean threat actors expanded the Contagious Interview campaign by deploying 197 new npm packages, which have been downloaded over 31,000 times. These packages deliver a hybrid OtterCookie malware variant combining features of BeaverTail and prior iterations.

Why This Matters

The attack underscores the vulnerability of JavaScript ecosystems to supply-chain compromises. While npm packages are typically trusted, this campaign exploits developer reliance on third-party libraries. The malware evades sandboxing, establishes persistent C2 channels, and exfiltrates sensitive data, including cryptocurrency credentials. The scale of downloads highlights the risk of weaponized open-source dependencies, with potential for widespread compromise across development environments.

Key Insights

• “197 npm packages, 31,000+ downloads, 2025”: Socket analysis reveals the scope of the Contagious Interview campaign.
• “Sandbox evasion + C2 persistence”: OtterCookie combines evasion techniques with long-term access via hard-coded Vercel URLs and GitHub repos.
• “Fake interview schemes”: Attackers use job interview simulations to trick users into executing malicious Node.js apps.

Practical Applications

• Use Case: Fake assessment sites mimic Chrome prompts to steal credentials under the guise of camera/microphone fixes.
• Pitfall: Trusting unverified npm packages without code review or dependency checks can introduce persistent backdoors.

References:

• https://thehackernews.com/2025/11/north-korean-hackers-deploy-197-npm.html