Contagious Interview 2.0: 11 Malicious npm Packages Found

The North Korean cyber-espionage group behind the Contagious Interview campaign has once again intensified its activities, extending its reach deeper into the npm ecosystem. Security researchers at Socket have uncovered the release of eleven malicious packages distributing the BeaverTail malware, along with a newly observed remote access loader. Disguised as utilities and debugging tools, the attackers embedded obfuscated malicious code encoded in hexadecimal strings to evade detection.

Prior to their removal, these npm packages had been downloaded more than 5,600 times. Among them were: empty-array-validator, twitterapis, dev-debugger-vite, snore-log, core-pino, events-utils, icloud-cod, cln-logger, node-clog, consolidate-log, and consolidate-logger. In several instances, the loaders retrieved payloads from Bitbucket repositories instead of the more commonly monitored GitHub, reflecting a calculated effort to obfuscate their origins and complicate attribution. One notable package, icloud-cod, was located within a folder named “eiwork_hire,” continuing the theme of fake job interviews as an infection vector.

Researchers noted that code variations across certain packages, such as cln-logger and consolidate-logger, were minimal—indicative of iterative testing of malware deployment strategies. Despite slight differences, all four functioned as loaders, retrieving the next stage of the attack from a remote server and executing it via the eval() function, enabling the arbitrary execution of attacker-supplied code.

Previously, six similar packages with nearly identical functionality were identified. Their primary aim was to gain access to developers’ systems under the guise of professional collaboration, establish persistence within target infrastructures, and exfiltrate sensitive or financial information. According to analysts, the malicious code was not only capable of fetching additional payloads but could also act autonomously as a full-fledged Remote Access Trojan (RAT).

The Contagious Interview campaign has been active for over six months. Its operators continually register new npm accounts, distribute malicious packages via both GitHub and Bitbucket, and employ refined social engineering techniques reminiscent of the ClickFix approach. The group extensively leverages BeaverTail alongside the Python-based backdoor InvisibleFerret, repackaging them under different names across a growing number of platforms.

Analysts conclude that the Contagious Interview campaign remains resilient and highly adaptive. The adversaries frequently rotate tools, revise codebases, and evolve their delivery mechanisms—complicating detection and mitigation efforts. Against the backdrop of increasing malicious npm activity, experts caution developers not only against suspicious email attachments but also against executing files sourced from untrusted repositories.