BeaverTail and OtterCookie malware evolution in Contagious Interview
Malware Activity
Summary
Hide ▲
Show ▼
Contagious Interview malware activity tied to North Korean threat actors continues to evolve its delivery chain. A recent report says the operators used recruitment- and code review-themed phishing and malicious GitHub repositories to target nearly 100 organizations, while a separate npm wave added 197 malicious packages downloaded over 31,000 times and designed to deliver an updated OtterCookie variant that blends features of BeaverTail and earlier OtterCookie versions. The malware can evade sandboxes, establish C2, and steal clipboard data, keystrokes, screenshots, browser credentials, documents, crypto wallet data, and seed phrases.
Related Happenings
Contagious Interview UNK_DeadDrop GitHub phishing campaign
Campaign
H score37
First: 15.06.2026 22:32
Last: 15.06.2026 22:32
Sources 1
How related:
According to a report published by Proofpoint, the threat actor has been found orchestrating phishing campaigns using developer role recruitment or code review themes to target nearly 100 organizations in finance, cryptocurrency, education, technology, and several other sectors.
About this happening:
The **Contagious Interview** cluster is running the **UNK_DeadDrop** phishing campaign to lure developers with **recruitment** and **code review** themes, reaching **nearly 100 or...
Contagious Interview UNK_DeadDrop GitHub phishing campaign
CampaignHow related: According to a report published by Proofpoint, the threat actor has been found orchestrating phishing campaigns using developer role recruitment or code review themes to target nearly 100 organizations in finance, cryptocurrency, education, technology, and several other sectors.
About this happening: The **Contagious Interview** cluster is running the **UNK_DeadDrop** phishing campaign to lure developers with **recruitment** and **code review** themes, reaching **nearly 100 or...
Atomic-lockfile rootkit-infostealer distribution through AUR packages
Malware Activity
H score3
First: 12.06.2026 20:03
Last: 12.06.2026 20:03
Sources 1
About this happening:
**AUR packages** are distributing the **atomic-lockfile** **Linux rootkit and infostealer** through compromised build scripts, with **more than 400 packages** reported and the **o...
Atomic-lockfile rootkit-infostealer distribution through AUR packages
Malware ActivityAbout this happening: **AUR packages** are distributing the **atomic-lockfile** **Linux rootkit and infostealer** through compromised build scripts, with **more than 400 packages** reported and the **o...
Hades Bun-powered JavaScript stealer on PyPI
Malware Activity
H score34
First: 09.06.2026 12:13
Last: 09.06.2026 12:13
Sources 1
About this happening:
A new **Hades** PyPI malware wave uses a **Python startup hook** to launch a **Bun-powered JavaScript stealer**, putting developer and CI/CD credentials at risk. The payload can h...
Hades Bun-powered JavaScript stealer on PyPI
Malware ActivityAbout this happening: A new **Hades** PyPI malware wave uses a **Python startup hook** to launch a **Bun-powered JavaScript stealer**, putting developer and CI/CD credentials at risk. The payload can h...
UNK_DeadDrop developer phishing campaign using fake job and code-review lures
Campaign
H score30
First: 08.06.2026 18:00
Last: 08.06.2026 18:00
Sources 1
About this happening:
A **UNK_DeadDrop** phishing campaign sent **more than 250 emails** to software developers at **almost 100 organizations**, using fake job and code-review lures to steal **cryptocu...
UNK_DeadDrop developer phishing campaign using fake job and code-review lures
CampaignAbout this happening: A **UNK_DeadDrop** phishing campaign sent **more than 250 emails** to software developers at **almost 100 organizations**, using fake job and code-review lures to steal **cryptocu...
IronWorm npm supply-chain infection and self-propagation
Malware Activity
H score15
First: 04.06.2026 18:25
Last: 04.06.2026 18:25
Sources 1
About this happening:
**IronWorm** is a **Rust** infostealer in a **npm supply-chain** activity that hides behind an **eBPF kernel rootkit**, communicates over **Tor**, and targets **86 environment var...
IronWorm npm supply-chain infection and self-propagation
Malware ActivityAbout this happening: **IronWorm** is a **Rust** infostealer in a **npm supply-chain** activity that hides behind an **eBPF kernel rootkit**, communicates over **Tor**, and targets **86 environment var...
Timeline
-
17.10.2025 16:33 5 articles · 8mo ago
BeaverTail and OtterCookie converge in OtterCookie v5
Technical Analysis UpdateCisco Talos observed a North Korean Contagious Interview cluster refining BeaverTail and OtterCookie into a more closely aligned toolset, with OtterCookie v5 adding keylogging, screenshot capture, clipboard monitoring, browser-profile enumeration, browser-extension theft, cryptocurrency wallet theft, AnyDesk persistence, and an InvisibleFerret download path. The same activity also used EtherHiding to fetch next-stage payloads from BNB Smart Chain or Ethereum, and a Sri Lanka-headquartered organization was assessed to have been infected after a fake job offer led a user to install a trojanized Node.js application called Chessfi through a malicious npm dependency chain.
Show sources
- North Korean Hackers Combine BeaverTail and OtterCookie into Advanced JS Malware — thehackernews.com — 17.10.2025 16:33
- North Korean Hackers Combine BeaverTail and OtterCookie into Advanced JS Malware — thehackernews.com — 17.10.2025 16:33
- North Korean Hackers Turn JSON Services into Covert Malware Delivery Channels — thehackernews.com — 14.11.2025 20:25
- North Korean Hackers Deploy 197 npm Packages to Spread Updated OtterCookie Malware — thehackernews.com — 28.11.2025 18:18
- North Korean Hackers Are Turning Developer Tools Into Malware Delivery Channels — thehackernews.com — 15.06.2026 22:32