North Korean threat actors are actively expanding their malicious operations within the npm ecosystem to distribute OtterCookie malware, targeting developers in the crypto and Web3 sectors. The campaign employs fake job offers, typosquatted packages, and a sophisticated infrastructure involving GitHub, Vercel, and C2 servers. #OtterCookie #ContagiousInterview
Keypoints
- North Korea-linked actors added 197 malicious npm packages in the Contagious Interview campaign.
- The campaign targets developers on Windows, Linux, and macOS via social engineering tactics like fake job interviews.
- They use a complex infrastructure involving GitHub, Vercel, and C2 servers to deliver and orchestrate malware payloads.
- The OtterCookie malware functions as an infostealer and remote access tool, capturing sensitive data and controlling infected systems.
- The operation employs typosquatted packages and fake crypto projects to lure developers into installing malicious code.