The job application process itself becomes the weapon.
In the quiet corridors where developers seek opportunity, North Korean operatives have transformed the job interview itself into a weapon — uploading 197 malicious packages to npm, downloaded over 31,000 times, to deliver malware capable of draining wallets, stealing credentials, and seizing control of infected machines. The Contagious Interview campaign, as researchers call it, does not break down doors; it waits to be invited in, wearing the face of a promising career. It is a reminder that in the digital age, trust is infrastructure, and those who exploit it understand its architecture better than most.
- 197 counterfeit npm packages — bearing names indistinguishable from legitimate tools like tailwindcss-forms and bcryptjs-node — have been downloaded more than 31,000 times by unsuspecting developers worldwide.
- The malware delivered, a hybrid of OtterCookie and BeaverTail, can steal clipboard contents, log keystrokes, drain cryptocurrency wallets, and harvest browser credentials — all while evading sandbox detection.
- A parallel operation called ClickFake Interview deploys GolangGhost, a Go-written malware that installs itself as a macOS LaunchAgent and funnels stolen Chrome passwords directly to a Dropbox account.
- The attack vector is the hiring process itself: developers are lured through fake job interviews and coding assessments, then asked to run what appears to be a routine development task.
- Security researchers describe the campaign's sustained pace as one of the most aggressive npm exploitation efforts on record, signaling a deepening North Korean adaptation to JavaScript and crypto development ecosystems.
Over the past month, North Korean hackers have seeded npm — the JavaScript package registry millions of developers depend on — with 197 malicious packages, downloaded more than 31,000 times. Security firm Socket attributes the campaign to what researchers call Contagious Interview, a sustained operation that turns the job application process into a delivery mechanism for sophisticated malware.
The packages carry deceptive names designed to pass unnoticed in real development workflows: bcryptjs-node, react-adparser, tailwind-magic, webpack-loadcss. Once executed, they deploy a hybrid malware combining OtterCookie and BeaverTail capabilities — capable of evading virtual machines, logging keystrokes, capturing screenshots, stealing browser credentials, and draining cryptocurrency wallets. Payloads are fetched from a now-offline GitHub account through a hardcoded Vercel URL, keeping the initial packages clean enough to slip past basic inspection.
Running alongside the npm campaign is a second operation deploying GolangGhost, a Go-written malware delivered through fake assessment websites. Using ClickFix-style social engineering — typically a false claim that the user's camera needs fixing — the malware installs itself persistently on macOS via a LaunchAgent, harvests Chrome credentials, and sends them to a Dropbox account. A decoy Chrome prompt completes the illusion, capturing whatever the victim types.
What sets Contagious Interview apart from other North Korean schemes is its precision: rather than embedding fake employees inside companies, it targets individual developers at their most vulnerable moment — the job search. Researcher Kirill Boychenko described the campaign's output as among the most prolific npm exploitation efforts on record. The lesson for developers is uncomfortable but necessary: an unsolicited interview invitation may be the most dangerous package of all.
Over the past month, North Korean hackers have uploaded 197 malicious packages to npm, the JavaScript package registry that millions of developers rely on daily. The packages have been downloaded more than 31,000 times, according to security firm Socket. They represent an escalation of what researchers call the Contagious Interview campaign—a sustained operation that weaponizes the job application process itself, turning the promise of employment into a vector for sophisticated malware delivery.
The packages use deceptive names designed to blend into legitimate development workflows: bcryptjs-node, cross-sessions, json-oauth, node-tailwind, react-adparser, session-keeper, tailwind-magic, tailwindcss-forms, webpack-loadcss. When executed, they deploy a variant of OtterCookie malware that combines capabilities from earlier versions with features previously seen in a separate malware family called BeaverTail. The resulting hybrid is capable of evading sandboxes and virtual machines, profiling infected systems, and establishing a remote command channel that gives attackers broad access: they can steal clipboard contents, log keystrokes, capture screenshots, harvest browser credentials, extract documents, drain cryptocurrency wallets, and exfiltrate seed phrases.
The attack chain works through misdirection. Developers are lured into fake job interviews and coding assessments hosted on fraudulent platforms. As part of the "hiring process," they're asked to run a Node.js application or download what appears to be a legitimate development tool. Once executed, the malware connects to a hardcoded Vercel URL (tetrismic.vercel.app), which fetches the actual payload from a GitHub repository controlled by the threat actors. The GitHub account used for delivery, stardev0914, has since been taken offline.
Parallel to the npm campaign, the same actors have deployed a second malware family called GolangGhost—also known as FlexibleFerret or WeaselStore—through what researchers term the ClickFake Interview operation. Written in Go, GolangGhost arrives via fake assessment websites that use ClickFix-style social engineering, typically claiming the user's camera or microphone needs fixing. The malware establishes persistent command-and-control connections, collects system information, uploads and downloads files, executes operating system commands, and harvests credentials from Google Chrome. On macOS systems, it achieves persistence by installing a LaunchAgent that automatically executes a shell script at login. To maintain the deception, attackers also install a decoy application that displays a fake Chrome camera access prompt, followed by a convincing Chrome password prompt that captures whatever the user types and sends it to a Dropbox account.
What distinguishes Contagious Interview from other North Korean IT worker schemes is its focus. Rather than attempting to embed operatives within legitimate companies under false identities, this campaign targets individual developers through staged recruiting pipelines and malicious coding exercises. The job application process itself becomes the weapon. Security researcher Kirill Boychenko noted that the campaign's sustained pace and prolific output make it one of the most aggressive npm exploitation efforts on record, demonstrating how thoroughly North Korean threat actors have adapted their tradecraft to modern JavaScript and cryptocurrency-focused development environments. The implication is clear: developers evaluating job opportunities in tech need to treat unsolicited recruiting outreach with heightened skepticism, and organizations need to educate their teams about the risks embedded in the hiring process itself.
Citações Notáveis
This sustained tempo makes Contagious Interview one of the most prolific campaigns exploiting npm, and it shows how thoroughly North Korean threat actors have adapted their tooling to modern JavaScript and crypto-centric development workflows.— Kirill Boychenko, security researcher
Contagious Interview is designed to compromise individuals through staged recruiting pipelines, malicious coding exercises, and fraudulent hiring platforms, weaponizing the job application process itself.— Validin
A Conversa do Hearth Outra perspectiva sobre a história
Why would North Korean hackers focus so heavily on npm specifically? It seems like an odd target.
npm is where developers go to build almost everything in JavaScript. If you can poison packages there, you're not targeting one company—you're potentially reaching thousands of organizations that depend on those packages. It's a leverage point.
But wouldn't developers notice if a package called bcryptjs-node was malicious? Wouldn't they check?
That's the genius of it. The names are close enough to real, legitimate packages that they blend in. And the attack relies on social engineering first—the malware arrives through a fake job interview, not through a random npm search. By the time someone runs the code, they think they're doing a legitimate coding assessment.
So the developers being targeted aren't just random—they're being hunted through the hiring process.
Exactly. The attackers are running fake companies, posting fake jobs, conducting fake interviews. They're building trust over time, then asking candidates to prove themselves by running code. It's recruitment as a Trojan horse.
What happens after the malware is installed? What's the actual damage?
It depends on what the attacker wants from that particular victim. They get a remote shell, so they can steal cryptocurrency wallets, harvest browser credentials, capture screenshots of what you're working on. If you're a developer at a crypto company or fintech firm, that's extremely valuable. If you're at a regular tech company, they might just use your machine as part of a larger botnet.
And the fact that they're using both npm packages and fake Chrome prompts suggests they're not targeting one type of developer.
Right. They're casting a wide net. Some developers will fall for the npm package, others for the fake interview. Some will see the Chrome camera prompt and think their system is broken. The more vectors they deploy, the higher their success rate.