Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

Contagious Interview npm malicious package campaign

Campaign
First reported
Last updated
Happening score
H score 40
1 unique sources, 1 articles

Summary

Hide ▲

The Contagious Interview campaign expanded with 197 more malicious npm packages, extending a supply-chain delivery route that targets npm users and developers. The packages were downloaded over 31,000 times, increasing the chance of victim exposure at scale. They deliver an updated OtterCookie payload that can establish C2 and steal credentials, screenshots, and crypto wallet data.

Related Happenings

Mouse5212-super-formatter postinstall GitHub exfiltration package

Malware Activity
First: 27.05.2026 18:44 Last: 27.05.2026 18:44 Sources 1

About this happening: The **mouse5212-super-formatter** npm package is a **malicious infostealer** that can siphon files from **/mnt/user-data**, putting **Anthropic Claude** user data at risk of unaut...

Open Happening

Shai-Hulud worm clone activity on NPM

Malware Activity
First: 18.05.2026 12:45 Last: 18.05.2026 12:45 Sources 1

About this happening: The **Shai-Hulud** malware activity has continued to evolve across the **npm supply chain** and related developer ecosystems. It first infected **npm packages** in **September 202...

Open Happening

Deadcode09284814 malicious npm packages delivering Phantom Bot and infostealers

Malware Activity
First: 18.05.2026 11:57 Last: 18.05.2026 11:57 Sources 1

About this happening: Four **npm** packages published by **deadcode09284814** were found delivering **information-stealing malware** and **Phantom Bot** DDoS capability, putting installers at risk of *...

Open Happening

Inactive maintainer account 'atiertant' hit by network compromise

Incident
First: 15.05.2026 20:10 Last: 15.05.2026 20:10 Sources 1

About this happening: The **inactive maintainer account 'atiertant'** for **node-ipc** was **compromised**, enabling malicious package releases that could steal credentials from downstream installation...

Open Happening

Shai-Hulud supply-chain campaign spreading via stolen CI/CD credentials

Campaign
First: 12.05.2026 14:29 Last: 12.05.2026 14:29 Sources 1

About this happening: The **Shai-Hulud** **supply-chain campaign** remains active across **npm**, **PyPI**, and **Composer**, with the latest reporting tying **TeamPCP** to both a claimed **GitHub inte...

Open Happening

Timeline

  1. 28.11.2025 18:18 2 articles · 6mo ago

    Contagious Interview adds 197 malicious npm packages

    Campaign Scope Update

    North Korean threat actors expanded the Contagious Interview campaign by flooding the npm registry with 197 more malicious packages, which Socket says were downloaded over 31,000 times. The packages are designed to deliver an updated OtterCookie payload that blends BeaverTail and prior OtterCookie features, connects to the hard-coded Vercel URL tetrismic.vercel[.]app, and then retrieves the payload from a threat actor-controlled GitHub repository; the delivery account stardev0914 is no longer accessible.

    Show sources
    Open in new tab