Contagious Interview npm malicious package campaign
Campaign
Summary
Hide ▲
Show ▼
The Contagious Interview campaign expanded with 197 more malicious npm packages, extending a supply-chain delivery route that targets npm users and developers. The packages were downloaded over 31,000 times, increasing the chance of victim exposure at scale. They deliver an updated OtterCookie payload that can establish C2 and steal credentials, screenshots, and crypto wallet data.
Related Happenings
TonRAT Node.js implant with TON blockchain C2
Malware Activity
H score24
First: 26.06.2026 12:27
Last: 26.06.2026 12:27
Sources 1
About this happening:
**TonRAT** is using a **Node.js implant** to hide command-and-control lookups behind the **TON blockchain API**, increasing the chance that blocking and detection will fail. The a...
TonRAT Node.js implant with TON blockchain C2
Malware ActivityAbout this happening: **TonRAT** is using a **Node.js implant** to hide command-and-control lookups behind the **TON blockchain API**, increasing the chance that blocking and detection will fail. The a...
PolinRider GitHub supply-chain campaign delivering BeaverTail and InvisibleFerret
Campaign
H score9
First: 23.06.2026 11:54
Last: 23.06.2026 11:54
Sources 1
About this happening:
A **North Korean** supply-chain campaign dubbed **PolinRider** is injecting obfuscated JavaScript into compromised **GitHub repositories**, exposing developers to staged malware d...
PolinRider GitHub supply-chain campaign delivering BeaverTail and InvisibleFerret
CampaignAbout this happening: A **North Korean** supply-chain campaign dubbed **PolinRider** is injecting obfuscated JavaScript into compromised **GitHub repositories**, exposing developers to staged malware d...
AUR package-hijacking campaign delivering atomic-lockfile
Campaign
H score11
First: 12.06.2026 20:03
Last: 12.06.2026 20:03
Sources 1
About this happening:
**AUR package-hijacking campaign** is abusing **more than 400** compromised **Arch User Repository (AUR)** packages to deliver **atomic-lockfile**, turning the **AUR** build path...
AUR package-hijacking campaign delivering atomic-lockfile
CampaignAbout this happening: **AUR package-hijacking campaign** is abusing **more than 400** compromised **Arch User Repository (AUR)** packages to deliver **atomic-lockfile**, turning the **AUR** build path...
Atlas RAT and related loaders deployed for remote access and credential theft
Malware Activity
H score33
First: 04.06.2026 00:45
Last: 04.06.2026 00:45
Sources 1
About this happening:
**TA4922**, a **China-linked** and likely **financially motivated** malware activity, has expanded beyond **East Asia** into **Europe** and **Africa**. The group uses **Atlas RAT*...
Atlas RAT and related loaders deployed for remote access and credential theft
Malware ActivityAbout this happening: **TA4922**, a **China-linked** and likely **financially motivated** malware activity, has expanded beyond **East Asia** into **Europe** and **Africa**. The group uses **Atlas RAT*...
Red Hat npm Namespace Hijacked in Supply Chain hit by cyberattack
Incident
H score13
First: 01.06.2026 20:40
Last: 01.06.2026 20:40
Sources 1
About this happening:
**Red Hat's** official npm namespace was hijacked in a **supply chain attack** that republished **32 packages** in the **@redhat-cloud-services** scope on **June 1**; the maliciou...
Red Hat npm Namespace Hijacked in Supply Chain hit by cyberattack
IncidentAbout this happening: **Red Hat's** official npm namespace was hijacked in a **supply chain attack** that republished **32 packages** in the **@redhat-cloud-services** scope on **June 1**; the maliciou...
Timeline
-
28.11.2025 18:18 2 articles · 7mo ago
Contagious Interview adds 197 malicious npm packages
Campaign Scope UpdateNorth Korean threat actors expanded the Contagious Interview campaign by flooding the npm registry with 197 more malicious packages, which Socket says were downloaded over 31,000 times. The packages are designed to deliver an updated OtterCookie payload that blends BeaverTail and prior OtterCookie features, connects to the hard-coded Vercel URL tetrismic.vercel[.]app, and then retrieves the payload from a threat actor-controlled GitHub repository; the delivery account stardev0914 is no longer accessible.
Show sources
- North Korean Hackers Deploy 197 npm Packages to Spread Updated OtterCookie Malware — thehackernews.com — 28.11.2025 18:18
- North Korean Hackers Deploy 197 npm Packages to Spread Updated OtterCookie Malware — thehackernews.com — 28.11.2025 18:18