North Korean Actors Push 197 Malicious npm Packages in Campaign
🛡️ North Korean threat actors tied to the Contagious Interview campaign have uploaded 197 malicious npm packages designed to deliver a variant of OtterCookie that incorporates features of BeaverTail. Socket reports the packages have been downloaded over 31,000 times and include loader names such as bcryptjs-node, cross-sessions, json-oauth and tailwind-magic. The payload evades sandboxes and virtual machines, profiles hosts, fetches a cross-platform binary via a hard-coded Vercel URL, opens a C2 remote shell, and can steal clipboard contents, keystrokes, screenshots, browser credentials, documents and cryptocurrency seed phrases.
