"Some of the identified "loader" packages are listed below - bcryptjs-node cross-sessions json-oauth node-tailwind react-adparser session-keeper tailwind-magic tailwindcss-forms webpack-loadcss The malware, once launched, attempts to evade sandboxes and virtual machines, profiles the machine, and then establishes a command-and-control (C2) channel to provide the attackers with a remote shell, along with capabilities to steal clipboard contents, log keystrokes, capture screenshots, and gather browser credentials, documents, cryptocurrency wallet data, and seed phrases."
"It's worth noting that the blurring distinction between OtterCookie and BeaverTail was documented by Cisco Talos last month in connection with an infection that impacted a system associated with an organization headquartered in Sri Lanka after a user was likely deceived into running a Node.js application as part of a fake job interview process. Further analysis has determined that the packages are designed to connect to a hard-coded Vercel URL ("tetrismic.vercel[.]app"), which then proceeds to fetch the cross-platform OtterCookie payload from a threat actor-controlled GitHub repository. The GitHub account that serves as the delivery vehicle, stardev0914, is no longer accessible."
North Korean threat actors operating the Contagious Interview campaign uploaded 197 malicious npm packages that have been downloaded over 31,000 times. The packages deliver a merged OtterCookie/BeaverTail variant that incorporates BeaverTail features and earlier OtterCookie capabilities. Identified loader package names include bcryptjs-node, cross-sessions, json-oauth, node-tailwind, react-adparser, session-keeper, tailwind-magic, tailwindcss-forms, and webpack-loadcss. The malware evades sandboxes and virtual machines, profiles hosts, establishes a C2 channel to provide a remote shell, and can steal clipboard contents, log keystrokes, capture screenshots, and exfiltrate browser credentials, documents, cryptocurrency wallet data, and seed phrases. Packages connect to a hard-coded Vercel URL that fetches payloads from a threat-controlled GitHub account that is now inaccessible. Prior reporting linked OtterCookie/BeaverTail overlap to a fake Node.js job interview infection in Sri Lanka. The campaign's sustained tempo demonstrates adaptation to modern JavaScript and crypto development workflows.
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]