Cybersecurity researchers have recently identified a new wave of malicious npm (Node Package Manager) packages tied to the ongoing “Contagious Interview” operation, which is attributed to North Korean state-sponsored threat actors. This campaign specifically targets software developers who are actively seeking employment, leveraging the trust and routine practices of the tech hiring process.
npm (Node Package Manager) is the standard package manager for JavaScript and the default package manager for the Node.js runtime environment. It allows developers to install, update, manage, and publish dependencies—pre-built code libraries or modules—required for their projects.
Key Details of the Campaign
The “Contagious Interview” campaign is named for its tactic of posing as recruiters or employers to lure job-seeking developers into downloading malware during what appears to be a legitimate interview process. The operation is linked to North Korea and has been active since at least late 2022, with infrastructure and activity persisting into 2025. Threat actors create fake recruiter personas on platforms like LinkedIn, sending job seekers coding assignments or project links hosted on GitHub or Bitbucket. These projects contain malicious npm packages designed to infect the developer’s system.
The latest batch includes at least 35 malicious npm packages published from 24 accounts, which have been collectively downloaded over 4,000 times.
Some examples include:
- react-plaid-sdk
- sumsub-node-websdk
- vite-plugin-next-refresh
- vite-plugin-purify
- nextjs-insight
- node-loggers
- reactbootstraps
- and more…
The npm packages are engineered to deploy multi-stage malware, including loaders such as HexEval, GolangGhost, and PylangGhost. These malware families are designed to evade detection by minimizing their footprint on the npm registry and attempting to bypass containerized environments. The campaign uses “ClickFix” and other social engineering tactics, where victims are persuaded to run projects outside of secure environments during the interview process, increasing the risk of infection.
The attackers have set up fake cryptocurrency consulting firms (e.g., BlockNovas LLC, Angeloper Agency, SoftGlide LLC) and use AI-generated personas to appear legitimate. These front companies are used to post job listings and coordinate interviews. Notable malware deployed includes BeaverTail (a downloader and infostealer), InvisibleFerret (a persistent backdoor), and OtterCookie (a cookie and session data stealer). These tools allow attackers to exfiltrate sensitive data, gain remote access, and establish persistence on infected systems.
Broader Impact and Context
While the campaign initially focused on cryptocurrency and tech sectors, its tactics are adaptable and could spread to other industries. By embedding malware in open-source npm packages, attackers can leverage the inherent trust in the npm ecosystem, bypassing traditional perimeter defenses and potentially compromising not just individual developers but also the companies they work for.
The campaign is dynamic, with continuous updates to malware, infrastructure, and social engineering methods. Researchers warn that this is a persistent and well-resourced adversary, capable of quickly adapting to defensive measures.
Summary Table
| Aspect | Details |
|---|---|
| Operation Name | Contagious Interview |
| Origin | North Korea (state-sponsored) |
| Target | Job-seeking software developers |
| Attack Vector | Fake job offers, malicious npm packages, GitHub/Bitbucket projects |
| Malware Families | BeaverTail, InvisibleFerret, OtterCookie, HexEval, GolangGhost, PylangGhost |
| Social Engineering | Fake recruiters, front companies, AI-generated personas |
| npm Packages | 35+ malicious packages, 24 accounts, 4,000+ downloads |
| Objective | Data theft, cryptocurrency theft, remote access, espionage |
