DPRK’s ‘Contagious Interview’ Spawns Malicious Npm Package Factory
Summary
North Korean threat actors running the “Contagious Interview” campaign have been distributing a sustained stream of malicious npm packages aimed at compromising software developers, especially blockchain and Web3 engineers. Since 10 October the campaign has produced more than 197 malicious packages with over 31,000 downloads. The packages deliver multistage malware (variants of OtterCookie and BeaverTail) that can install RATs, steal credentials, harvest crypto wallets and seed phrases, and provide persistent remote access.
The attackers use a coherent delivery stack based on GitHub repositories and Vercel-hosted payloads (research traced activity to a stardev0914 GitHub account and a tetrismic[.]vercel[.]app endpoint). Although some accounts have been removed, the operation behaves like a factory — continuously producing fresh infiltrations rather than the typical one-off package hijack.
Key Points
- The Contagious Interview campaign targets developers via fake job interviews and test assignments to trick them into installing malicious npm packages.
- Researchers have identified 197+ malicious npm packages with more than 31,000 cumulative downloads since Oct 10.
- Malware delivered includes OtterCookie variants and BeaverTail components that act as downloaders, RATs, and infostealers.
- Attack infrastructure uses GitHub for hosting code and Vercel for staging payloads, forming a persistent delivery pipeline.
- The campaign focuses on blockchain and Web3 developers to exfiltrate credentials, wallet data and seed phrases.
- Unlike ‘smash-and-grab’ npm attacks, this operation is continuous and resembles a standing product release cycle.
- Defences recommended: strengthen dependency governance, use risk/scanning tools to detect obfuscated code and post-install hooks, monitor maintainers and network activity, and apply stricter package selection policies.
Context and Relevance
This story matters because it shows nation-state actors adapting supply-chain tactics to modern JavaScript workflows. Npm’s speed-first architecture — where package installs can run arbitrary code — makes it an attractive vector for persistent operations. The campaign demonstrates how social engineering (fake recruiter interviews) is combined with software supply-chain abuse to gain long-term footholds in developer environments.
If you manage dev teams, run CI/CD, or secure developer workstations, this is directly relevant: it highlights the need for continuous SCA (software composition analysis), stricter vetting of packages and maintainers, runtime/behavioural monitoring, and credential/wallet protection practices.
Why should I read this?
Short version: if you or your team touch npm packages, wallets or developer machines, pay attention. This isn’t a one-off skirmish — it’s a nation-state running a proper factory to poison dependencies and steal crypto and creds. We skimmed the long report and boiled down what matters so you can act fast without reading every technical post.
Author’s take
Punchy summary: this is high-impact. A persistent, repeatable malware pipeline aimed squarely at developers is worse than the usual opportunistic package abuse. Treat dependency governance as security-critical, tighten package selection, and assume that any developer-facing social contact offering work tests could be malicious until proven otherwise.