Find notable cyber news and cases, enriched with sources, timelines, and signals.

BeaverTail and OtterCookie malware evolution in Contagious Interview

Malware Activity
First reported
Last updated
Happening score
H score 31
1 unique sources, 4 articles

Summary

Hide ▲

Contagious Interview malware activity tied to North Korean threat actors continues to evolve its delivery chain. A recent report says the operators used recruitment- and code review-themed phishing and malicious GitHub repositories to target nearly 100 organizations, while a separate npm wave added 197 malicious packages downloaded over 31,000 times and designed to deliver an updated OtterCookie variant that blends features of BeaverTail and earlier OtterCookie versions. The malware can evade sandboxes, establish C2, and steal clipboard data, keystrokes, screenshots, browser credentials, documents, crypto wallet data, and seed phrases.

Related Happenings

Contagious Interview UNK_DeadDrop GitHub phishing campaign

Campaign
H score37 First: 15.06.2026 22:32 Last: 15.06.2026 22:32 Sources 1

How related: According to a report published by Proofpoint, the threat actor has been found orchestrating phishing campaigns using developer role recruitment or code review themes to target nearly 100 organizations in finance, cryptocurrency, education, technology, and several other sectors.

About this happening: The **Contagious Interview** cluster is running the **UNK_DeadDrop** phishing campaign to lure developers with **recruitment** and **code review** themes, reaching **nearly 100 or...

Atomic-lockfile rootkit-infostealer distribution through AUR packages

Malware Activity
H score3 First: 12.06.2026 20:03 Last: 12.06.2026 20:03 Sources 1

About this happening: **AUR packages** are distributing the **atomic-lockfile** **Linux rootkit and infostealer** through compromised build scripts, with **more than 400 packages** reported and the **o...

Hades Bun-powered JavaScript stealer on PyPI

Malware Activity
H score34 First: 09.06.2026 12:13 Last: 09.06.2026 12:13 Sources 1

About this happening: A new **Hades** PyPI malware wave uses a **Python startup hook** to launch a **Bun-powered JavaScript stealer**, putting developer and CI/CD credentials at risk. The payload can h...

UNK_DeadDrop developer phishing campaign using fake job and code-review lures

Campaign
H score30 First: 08.06.2026 18:00 Last: 08.06.2026 18:00 Sources 1

About this happening: A **UNK_DeadDrop** phishing campaign sent **more than 250 emails** to software developers at **almost 100 organizations**, using fake job and code-review lures to steal **cryptocu...

IronWorm npm supply-chain infection and self-propagation

Malware Activity
H score15 First: 04.06.2026 18:25 Last: 04.06.2026 18:25 Sources 1

About this happening: **IronWorm** is a **Rust** infostealer in a **npm supply-chain** activity that hides behind an **eBPF kernel rootkit**, communicates over **Tor**, and targets **86 environment var...

Timeline

  1. 17.10.2025 16:33 5 articles · 8mo ago

    BeaverTail and OtterCookie converge in OtterCookie v5

    Technical Analysis Update

    Cisco Talos observed a North Korean Contagious Interview cluster refining BeaverTail and OtterCookie into a more closely aligned toolset, with OtterCookie v5 adding keylogging, screenshot capture, clipboard monitoring, browser-profile enumeration, browser-extension theft, cryptocurrency wallet theft, AnyDesk persistence, and an InvisibleFerret download path. The same activity also used EtherHiding to fetch next-stage payloads from BNB Smart Chain or Ethereum, and a Sri Lanka-headquartered organization was assessed to have been infected after a fake job offer led a user to install a trojanized Node.js application called Chessfi through a malicious npm dependency chain.

    Show sources