Recent cybersecurity analyses have unveiled that a North Korean threat actor, associated with the Contagious Interview campaign, has amalgamated functionalities from two of its primary malware tools—BeaverTail and OtterCookie—into a more advanced JavaScript-based malware. This development signifies the group’s ongoing efforts to enhance their cyber-espionage capabilities.
Cisco Talos researchers have observed that the latest iterations of the Contagious Interview campaign exhibit a convergence of features from both BeaverTail and OtterCookie. Notably, OtterCookie has been upgraded with modules for keylogging and screenshot capture, indicating a strategic refinement of the group’s malicious toolkit.
The Contagious Interview campaign, active since late 2022, involves North Korean operatives masquerading as recruiters to deceive job seekers into downloading malicious software under the guise of technical assessments. This ruse has led to the exfiltration of sensitive information and cryptocurrency from unsuspecting victims.
In a recent incident analyzed by Cisco Talos, an organization based in Sri Lanka was inadvertently affected. An individual within the company was duped into installing a compromised Node.js application named Chessfi, hosted on Bitbucket, as part of a fraudulent job interview process. This application depended on a malicious npm package titled node-nvm-ssh, which was uploaded to the npm repository on August 20, 2025, by a user identified as trailer. Before its removal six days later, the package had been downloaded 306 times.
The node-nvm-ssh package is among 338 malicious Node libraries recently identified by software supply chain security firm Socket, all linked to the Contagious Interview campaign. Upon installation, the package executes a post-installation script that triggers a JavaScript payload, leading to the deployment of the combined BeaverTail and OtterCookie malware.
This integration of malware functionalities underscores the evolving sophistication of North Korean cyber operations. By merging the data-stealing capabilities of BeaverTail with the command execution features of OtterCookie, the threat actors have developed a more potent tool for cyber-espionage.
The cybersecurity community continues to monitor these developments closely, emphasizing the need for heightened vigilance among organizations and individuals, particularly those involved in job-seeking activities. Implementing robust security measures and maintaining awareness of such deceptive tactics are crucial in mitigating the risks posed by these advanced cyber threats.
