DPRK Attackers Spawn Malicious Npm Package Factory TechTarget and Informa Tech’s Digital Business Combine.TechTarget and InformaTechTarget and Informa Tech’s Digital Business Combine.Together, we power an unparalleled network of 220+ online properties covering 10,000+ granular topics, serving an audience of 50+ million professionals with original, objective content from trusted sources. We help you gain critical insights and make more informed decisions across your business priorities.Dark Reading Resource LibraryBlack Hat NewsOmdia CybersecurityAdvertiseNewsletter Sign-UpNewsletter Sign-UpCybersecurity TopicsRelated TopicsApplication SecurityCybersecurity CareersCloud SecurityCyber RiskCyberattacks & Data BreachesCybersecurity AnalyticsCybersecurity OperationsData PrivacyEndpoint SecurityICS/OT SecurityIdentity & Access Mgmt SecurityInsider ThreatsIoTMobile SecurityPerimeterPhysical SecurityRemote WorkforceThreat IntelligenceVulnerabilities & ThreatsRecent in Cybersecurity TopicsApplication SecurityDPRK's 'Contagious Interview' Spawns Malicious Npm Package FactoryDPRK's 'Contagious Interview' Spawns Malicious Npm Package FactorybyElizabeth Montalbano, Contributing WriterDec 2, 20255 Min ReadApplication SecurityPrompt Injections Loom Large Over ChatGPT's Atlas BrowserPrompt Injections Loom Large Over ChatGPT's Atlas BrowserbyAlexander CulafiNov 26, 20256 Min ReadWorld Related TopicsDR GlobalMiddle East & AfricaAsia PacificRecent in World See AllApplication SecurityLINE Messaging Bugs Open Asian Users to Cyber EspionageLINE Messaging Bugs Open Asian Users to Cyber EspionagebyTara SealsNov 21, 20257 Min ReadEndpoint SecurityChina's 'PlushDaemon' Hackers Infect Routers to Hijack Software UpdatesChina's 'PlushDaemon' Hackers Infect Routers to Hijack Software UpdatesbyNate Nelson, Contributing WriterNov 20, 20253 Min ReadThe EdgeDR TechnologyEventsRelated TopicsUpcoming EventsPodcastsWebinarsSEE ALLResourcesRelated TopicsResource LibraryNewslettersPodcastsReportsVideosWebinarsWhite Papers Partner PerspectivesDark Reading Resource LibraryApplication SecurityCyberattacks & Data BreachesCybersecurity OperationsRemote WorkforceNewsDPRK's 'Contagious Interview' Spawns Malicious Npm Package FactoryNorth Korean attackers have delivered more than 197 malicious packages with 31K-plus downloads since Oct. 10, as part of ongoing state-sponsored activity to compromise software developers.Elizabeth Montalbano, Contributing WriterDecember 2, 20255 Min ReadSource: DD Images via ShutterstockNorth Korea's 'Contagious Interview' campaign to target job seekers has expanded yet again, this time with a persistent npm package-poisoning game that runs like a well-oiled machine. Threat actors have delivered more than 197 malicious npm packages with more than 31,000 collective downloads since Oct. 10, as part of ongoing state-sponsored activity to lure and compromise software development professionals.In the latest wave of the campaign, which has been ongoing for at least several years now, North Korean threat actors are targeting blockchain and Web3 developers through fake job interviews and "test assignments," according to a report published this week by Socket Threat Research. Since at least June, they have added the delivery of malicious npm packages to the targets that are designed to deliver initial access malware; attackers thus gain the ability to deliver further payloads, install a remote access Trojan (RAT), and steal credentials and cryptocurrency. Moreover, attackers consistently have been creating and uploading malicious packages through a GitHub infrastructure that underpins at least a part of the activity. So far, Socket has discovered hundreds of malicious npm packages that cumulatively have been downloaded tens of thousands of times.Related:Prompt Injections Loom Large Over ChatGPT's Atlas Browser"This sustained tempo makes Contagious Interview one of the most prolific campaigns exploiting npm, and it shows how thoroughly North Korean threat actors have adapted their tooling to modern JavaScript and crypto-centric development workflows," Socket Threat Research's Kirill Boychenko wrote in the report.Unpacking Malware & DPRK Attacker Infrastructure The Contagious Interview campaign begins with a ruse that lures victims via social media, such as LinkedIn, posing as recruiters or hiring managers offering employment positions. Their ultimate objective is to compromise the machines of developers that are likely to hold credentials, private keys, tokens, and other monetizable secrets, according to Socket.At some point, job candidates are asked to do a "test" by working on a fake project, which is where the malicious npm packages enter the attack flow. The latest malicious npm packages deliver a variant of the OtterCookie malware, which combines BeaverTail malware and prior versions of OtterCookie, according to Socket. BeaverTail is malware that often serves as a downloader of further payloads, while OtterCookie is a multistage infostealer and RAT.The malware establishes a command-and-control (C2) channel to provide the attackers with a remote shell, and the ability to deliver second-stage malware. It also has capabilities to steal clipboard contents, log keystrokes, capture screenshots, and gather browser credentials, documents, cryptocurrency wallet data, and seed phrases, according to Socket.Related:Infamous Shai-hulud Worm Resurfaces From the DepthsUsing GitHub as a Foundation for Malicious ActivitySocket researchers also discovered GitHub infrastructure powering the delivery of malicious packages by tracing one of them — a package called tailwind-magic —  back to its source. This led them to a Vercel-hosted staging endpoint, tetrismic[.]vercel[.]app, and from there to a threat actor-controlled GitHub account, stardev0914, which contained 18 repositories. The team collaborated with Kieran Miyamoto of the DPRK Research blog to uncover the GitHub account."The repositories … form a coherent adversarial delivery stack: malware-serving code lives on GitHub, the latest payload is fetched from Vercel, and a separate C2 server handles data collection and tasking," Boychenko wrote, adding that at least five of the malicious npm packages delivered in the campaign rely on this infrastructure to deliver a second-stage payload.This consistent and persistent use of GitHub as a foundation for the campaign is what sets it apart from other malicious npm package campaigns, which are becoming all too common, observes Collin Hogue-Spears, senior director of solution management at application security solution provider Black Duck.Related:LINE Messaging Bugs Open Asian Users to Cyber Espionage"Previous npm attacks were 'smash and grab' in nature: compromise one package, cash out, and disappear," he tells Dark Reading. "This new campaign, on the other hand, runs continuously. They ship malware in a similar fashion to legitimate teams shipping features."Indeed, the systematic longevity of the campaign sets it apart from other malicious package attacks, concurs Jason Soroko, senior fellow at comprehensive certificate lifecycle management (CLM) provider Sectigo. "The level of persistence, the combination of social engineering and supply chain abuse, and the detailed visibility into their GitHub and Vercel workflow, make this look less like a one-off hijack and more like a standing product operation," he says.Making Developer Environments Cyber-SafeAt this time, the stardev0914 account is no longer active on GitHub; however, DPRK attackers are quickly regrouping and forming other accounts from which to conduct their malicious activity, "with fresh npm infiltrations emerging weekly," Boychenko warned.Indeed, npm packages will continue to be a popular attack surface to poison the software supply chain for the foreseeable future, experts say, because of the nature of the development platform, experts say."Npm's architecture was built for velocity, not to defend against adversaries," Hogue-Spears notes. "This was a rational trade-off a decade ago, but not anymore because the same design turns every npm install into a potential remote code execution (RCE), and nation-state actors have noticed."To defend the software supply chain, organizations should consider dependency governance a top-level security discipline, with more insight into what packages are being used and more scrutiny of maintainers and their actions, observes Randolph Barr, chief information security officer (CISO) at API security firm Cequence Security. "Using contemporary … risk tools to detect problems like obfuscated code, post-install hooks, unexpected maintainers, or strange network activity is an important part of the package selection process," and can help serve the overall goal to make developer environments safer, he says. About the AuthorElizabeth Montalbano, Contributing WriterElizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.See more from Elizabeth Montalbano, Contributing WriterMore InsightsIndustry ReportsThe Cloud is No Longer EnoughForrester Wave: for Network Analysis and Visibility Solutions, Q4 2025Gartner Magic Quadrant for Network Detection and Response, 20252025 State of Threat Intelligence: What it means for your cybersecurity strategyGartner Innovation Insight: AI SOC AgentsAccess More ResearchWebinarsIdentity Security in the Agentic AI EraHow AI & Autonomous Patching Eliminate Exposure RisksSecuring the Hybrid Workforce: Challenges and SolutionsCybersecurity Outlook 2026Threat Hunting Tools & Techniques for Staying Ahead of Cyber AdversariesMore WebinarsYou May Also LikeBlack Hat Middle East & AfricaCybersecurity OperationsAs Gen Z Enters Cybersecurity, Jury Is Out on AI's ImpactAs Gen Z Enters Cybersecurity, Jury Is Out on AI's ImpactbyRobert Lemos, Contributing WriterNov 25, 20254 Min ReadKeep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.SubscribeWebinarsIdentity Security in the Agentic AI EraTues, Dec 9, 2025 at 1pm ESTHow AI & Autonomous Patching Eliminate Exposure RisksOn-DemandSecuring the Hybrid Workforce: Challenges and SolutionsTues, Nov 4, 2025 at 1pm ESTCybersecurity Outlook 2026Virtual Event | December 3rd, 2025 | 11:00am - 5:20pm ET | Doors Open at 10:30am ETThreat Hunting Tools & Techniques for Staying Ahead of Cyber AdversariesTuesday, Oct 21, 2025 at 1pm ESTMore WebinarsWhite PapersESG Open NDR: A Flexible and Powerful Platform for Detections and Data Across Hybrid EnvironmentsRansomware: The case for Open NDRSecure SAST. Innovate Fast: The future of SaaS and Cloud SecurityWhat Can an AI-Powered AppSec Engineer Do?How Squarespace and Semgrep Scaled Secure Development Across Thousands of ReposExplore More White PapersDiscover MoreBlack HatOmdiaWorking With UsAbout UsAdvertiseReprintsJoin UsNewsletter Sign-UpFollow UsCopyright © 2025 TechTarget, Inc. d/b/a Informa TechTarget. This website is owned and operated by Informa TechTarget, part of a global network that informs, influences and connects the world’s technology buyers and sellers. All copyright resides with them. Informa PLC’s registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. TechTarget, Inc.’s registered office is 275 Grove St. Newton, MA 02466.Home|Cookie Policy|Privacy|Terms of Use

North Korean attackers have orchestrated a persistent and sophisticated campaign exploiting the Node Package Manager (npm) ecosystem, dubbed “Contagious Interview,” since October 10, 2025. Socket Threat Research, led by Kirill Boychenko, has uncovered over 197 malicious npm packages with more than 31,000 collective downloads, demonstrating a sustained effort to compromise software development professionals. This campaign leverages social engineering—specifically, posing as recruiters—to lure victims into a “test” assignment, where malicious npm packages are deployed. These packages deliver a multi-stage malware payload, combining elements of BeaverTail and OtterCookie, designed to gain initial access and establish a command-and-control (C2) channel. The malware’s capabilities extend to stealing credentials, private keys, tokens, cryptocurrency, and clipboard contents, while also logging keystrokes, capturing screenshots, and gathering browser credentials.

A crucial element of this operation is the consistent use of GitHub as a foundation. Threat actors have established a complex infrastructure, utilizing GitHub for malware distribution and Vercel for payload delivery, alongside a dedicated C2 server. This structured approach – a GitHub repository hosting malware, a Vercel endpoint for fetching the payload, and a separate C2 server – distinguishes “Contagious Interview” from less organized attack campaigns. The actor, identified as stardev0914, maintains multiple repositories, highlighting a deliberate strategy designed to facilitate a continuous, operational effort rather than a one-off intrusion. The longevity of this campaign, marked by weekly new package infiltrations, underscores the sophistication of the North Korean actors and their adaptation to modern JavaScript development workflows.

The campaign’s persistence is particularly notable given the architecture of npm itself, which, as noted by Black Duck’s Collin Hogue-Spears, was built for velocity, not robust security defenses. This design flaw creates an inherent vulnerability, transforming every npm install into a potential Remote Code Execution (RCE) attack, a fact increasingly recognized by nation-state actors. The threat actors are skilled at exploiting this architectural weakness.

The use of GitHub and Vercel isn’t simply a convenient technical choice; it's a deliberate tactic with strategic implications. As observed by Jason Soroko of Sectigo, replicating this operational structure—GitHub for code delivery, Vercel for payload retrieval, and a dedicated C2 server—suggests a formalized, product-like operation, moving beyond a simple “smash and grab” approach. This operational consistency is what truly sets “Contagious Interview” apart.

The ongoing activity has driven the actor to regroup and form new GitHub accounts, ensuring the campaign’s continuation. Experts emphasize that npm packages will remain a persistent attack surface for the foreseeable future due to the platform’s design and the adaptive strategies of sophisticated actors. To mitigate this risk, organizations need to adopt dependency governance as a key security discipline, prioritizing insights into package usage and scrutinizing maintainers and their actions. Tools for detecting obfuscated code, unexpected maintainers, or unusual network activity are crucial. As Randolph Barr of Cequence Security points out, a reactive approach is no longer sufficient, and proactive “risk tools” should be implemented. Elizabeth Montalbano