Find notable cyber news and cases, enriched with sources, timelines, and signals.

Contagious Interview npm malicious package campaign

Campaign
First reported
Last updated
Happening score
H score 39
1 unique sources, 1 articles

Summary

Hide ▲

The Contagious Interview campaign expanded with 197 more malicious npm packages, extending a supply-chain delivery route that targets npm users and developers. The packages were downloaded over 31,000 times, increasing the chance of victim exposure at scale. They deliver an updated OtterCookie payload that can establish C2 and steal credentials, screenshots, and crypto wallet data.

Related Happenings

TonRAT Node.js implant with TON blockchain C2

Malware Activity
H score24 First: 26.06.2026 12:27 Last: 26.06.2026 12:27 Sources 1

About this happening: **TonRAT** is using a **Node.js implant** to hide command-and-control lookups behind the **TON blockchain API**, increasing the chance that blocking and detection will fail. The a...

PolinRider GitHub supply-chain campaign delivering BeaverTail and InvisibleFerret

Campaign
H score9 First: 23.06.2026 11:54 Last: 23.06.2026 11:54 Sources 1

About this happening: A **North Korean** supply-chain campaign dubbed **PolinRider** is injecting obfuscated JavaScript into compromised **GitHub repositories**, exposing developers to staged malware d...

AUR package-hijacking campaign delivering atomic-lockfile

Campaign
H score11 First: 12.06.2026 20:03 Last: 12.06.2026 20:03 Sources 1

About this happening: **AUR package-hijacking campaign** is abusing **more than 400** compromised **Arch User Repository (AUR)** packages to deliver **atomic-lockfile**, turning the **AUR** build path...

Atlas RAT and related loaders deployed for remote access and credential theft

Malware Activity
H score33 First: 04.06.2026 00:45 Last: 04.06.2026 00:45 Sources 1

About this happening: **TA4922**, a **China-linked** and likely **financially motivated** malware activity, has expanded beyond **East Asia** into **Europe** and **Africa**. The group uses **Atlas RAT*...

Red Hat npm Namespace Hijacked in Supply Chain hit by cyberattack

Incident
H score13 First: 01.06.2026 20:40 Last: 01.06.2026 20:40 Sources 1

About this happening: **Red Hat's** official npm namespace was hijacked in a **supply chain attack** that republished **32 packages** in the **@redhat-cloud-services** scope on **June 1**; the maliciou...

Timeline

  1. 28.11.2025 18:18 2 articles · 7mo ago

    Contagious Interview adds 197 malicious npm packages

    Campaign Scope Update

    North Korean threat actors expanded the Contagious Interview campaign by flooding the npm registry with 197 more malicious packages, which Socket says were downloaded over 31,000 times. The packages are designed to deliver an updated OtterCookie payload that blends BeaverTail and prior OtterCookie features, connects to the hard-coded Vercel URL tetrismic.vercel[.]app, and then retrieves the payload from a threat actor-controlled GitHub repository; the delivery account stardev0914 is no longer accessible.

    Show sources