BeaverTail and OtterCookie malware evolution in Contagious Interview
Malware Activity
Summary
Hide ▲
Show ▼
Contagious Interview malware activity tied to North Korean threat actors continues to evolve its npm-based delivery chain. A recent wave added 197 malicious npm packages that were downloaded over 31,000 times and are designed to deliver an updated OtterCookie variant that blends features of BeaverTail and earlier OtterCookie versions. The malware can evade sandboxes, establish C2, and steal clipboard data, keystrokes, screenshots, browser credentials, documents, crypto wallet data, and seed phrases.
Related Happenings
Malware-Slop malicious npm file-theft campaign
Campaign
First: 27.05.2026 18:44
Last: 27.05.2026 18:44
Sources 1
About this happening:
The **Malware-Slop** campaign is distributing a malicious **npm** package that steals local files from installers, creating an unauthorized data-transfer risk for users of **Anthr...
Malware-Slop malicious npm file-theft campaign
CampaignAbout this happening: The **Malware-Slop** campaign is distributing a malicious **npm** package that steals local files from installers, creating an unauthorized data-transfer risk for users of **Anthr...
Mouse5212-super-formatter postinstall GitHub exfiltration package
Malware Activity
First: 27.05.2026 18:44
Last: 27.05.2026 18:44
Sources 1
About this happening:
The **mouse5212-super-formatter** npm package is a **malicious infostealer** that can siphon files from **/mnt/user-data**, putting **Anthropic Claude** user data at risk of unaut...
Mouse5212-super-formatter postinstall GitHub exfiltration package
Malware ActivityAbout this happening: The **mouse5212-super-formatter** npm package is a **malicious infostealer** that can siphon files from **/mnt/user-data**, putting **Anthropic Claude** user data at risk of unaut...
MiniFast and MiniJunk V2 phishing-and-SEO deployment
Malware Activity
First: 26.05.2026 10:13
Last: 26.05.2026 10:13
Sources 1
About this happening:
**MiniFast** and **MiniJunk V2** expanded Nimbus Manticore's malware set with a **new backdoor** and an **updated RAT** that support **persistence**, **remote command execution**,...
MiniFast and MiniJunk V2 phishing-and-SEO deployment
Malware ActivityAbout this happening: **MiniFast** and **MiniJunk V2** expanded Nimbus Manticore's malware set with a **new backdoor** and an **updated RAT** that support **persistence**, **remote command execution**,...
Godzilla (BLUEBEAM) web shell and Cobalt Strike deployment via KnowledgeDeliver exploitation
Malware Activity
First: 26.05.2026 08:19
Last: 26.05.2026 08:19
Sources 1
About this happening:
The **Godzilla (BLUEBEAM)** web shell is now being used after **CVE-2026-5426** exploitation to run commands and stage **Cobalt Strike Beacon**, giving attackers a durable foothol...
Godzilla (BLUEBEAM) web shell and Cobalt Strike deployment via KnowledgeDeliver exploitation
Malware ActivityAbout this happening: The **Godzilla (BLUEBEAM)** web shell is now being used after **CVE-2026-5426** exploitation to run commands and stage **Cobalt Strike Beacon**, giving attackers a durable foothol...
TrapDoor trap-core.js credential-stealing package malware
Malware Activity
First: 25.05.2026 08:59
Last: 25.05.2026 08:59
Sources 1
About this happening:
The **TrapDoor** package malware is spreading across **npm, PyPI, and Crates.io**, putting **developer secrets, cloud credentials, SSH keys, and crypto wallets** at risk. The malw...
TrapDoor trap-core.js credential-stealing package malware
Malware ActivityAbout this happening: The **TrapDoor** package malware is spreading across **npm, PyPI, and Crates.io**, putting **developer secrets, cloud credentials, SSH keys, and crypto wallets** at risk. The malw...
Timeline
-
17.10.2025 16:33 4 articles · 7mo ago
BeaverTail and OtterCookie converge in OtterCookie v5
Technical Analysis UpdateCisco Talos observed a North Korean Contagious Interview cluster refining BeaverTail and OtterCookie into a more closely aligned toolset, with OtterCookie v5 adding keylogging, screenshot capture, clipboard monitoring, browser-profile enumeration, browser-extension theft, cryptocurrency wallet theft, AnyDesk persistence, and an InvisibleFerret download path. The same activity also used EtherHiding to fetch next-stage payloads from BNB Smart Chain or Ethereum, and a Sri Lanka-headquartered organization was assessed to have been infected after a fake job offer led a user to install a trojanized Node.js application called Chessfi through a malicious npm dependency chain.
Show sources
- North Korean Hackers Combine BeaverTail and OtterCookie into Advanced JS Malware — thehackernews.com — 17.10.2025 16:33
- North Korean Hackers Combine BeaverTail and OtterCookie into Advanced JS Malware — thehackernews.com — 17.10.2025 16:33
- North Korean Hackers Turn JSON Services into Covert Malware Delivery Channels — thehackernews.com — 14.11.2025 20:25
- North Korean Hackers Deploy 197 npm Packages to Spread Updated OtterCookie Malware — thehackernews.com — 28.11.2025 18:18