{"id":6024,"date":"2025-12-01T15:47:19","date_gmt":"2025-12-01T15:47:19","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=6024"},"modified":"2025-12-01T15:47:19","modified_gmt":"2025-12-01T15:47:19","slug":"contagious-interview-attackers-go-full-stack-to-fool-developers","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=6024","title":{"rendered":"Contagious Interview attackers go \u2018full stack\u2019 to fool developers"},"content":{"rendered":"
\n
\n
\n
\n
<\/div>\n

Researchers at Socket have uncovered more details of a sophisticated software supply-chain operation linked to the Contagious Interview campaign attacking developers who rely on packages from NPM.<\/p>\n

They report finding a \u201cfull stack\u201d operation behind the attacks, where code hosting, package distribution, staging servers and command-and control (C2) infrastructure are orchestrated much like a legitimate software development and delivery pipeline \u2014 and offer honest developers fresh advice on protecting themselves against the attacks.<\/p>\n

In the latest wave, threat actors uploaded almost 200 new malicious NPM packages, with more than 31,000 recorded downloads. The campaign<\/a> lures victims with fake job interviews and coding assignments related to Web3 and blockchain projects, asking them to pull dependencies for a \u201ctest project\u201d. But the NPM packages they install are Trojan horses.<\/p>\n

The latest packages identified by Socket ultimately deliver a new payload with upgraded credential theft, system monitoring and remote access capabilities, enabling them to take over developers\u2019 accounts and machines.<\/p>\n

Point defense<\/h2>\n

Based on its latest analysis, Socket advised developers to focus on the weak points this campaign exploits, and to treat every \u201cnpm install\u201d as potential remote code execution, restrict what continuous-integration runners can access, enforce network egress controls, and review the code of any new templates or utilities pulled from GitHub. Teams should also scrutinize unfamiliar helper packages, pin known-good versions, and use lockfiles instead of auto-updating dependencies, it advised.<\/p>\n

Automated package analysis can further reduce risk, with real-time scans catching threats including import-time loaders, network probing, and bulk data exfiltration before they hit developer machines or CI systems.<\/p>\n

With these checks in place, dependency onboarding and code review become effective filters for blocking Contagious Interview-style attacks early, Socket said.<\/p>\n

<\/a>Coding tasks lead to malware delivery<\/h2>\n

These defensive measures are effective because Contagious Interview\u2019s entry vector relies heavily on social engineering, using fake interview tasks to trick developers into installing compromised dependencies.<\/p>\n

The campaign exploits NPM, a widely used package registry for JavaScript and Node.js, by publishing packages that appear benign but carry hidden payloads. The malicious packages including one named \u201ctailwind-magic\u201d mimic legitimate libraries (in this case, a typosquatted version of the genuine \u201ctailwind-merge\u201d utility) to avoid suspicion.<\/p>\n

When an unsuspecting developer installs such a package, a post-install script triggers and reaches out to a staging endpoint hosted on Vercel. That endpoint in turn delivers a live payload fetched from a threat-actor controlled GitHub account named \u201cstardev0914\u201d. From there the payload, a variant of OtterCookie that also folds in capabilities from the campaign\u2019s other signature payload, BeaverTail<\/a>, executes and establishes a remote connection to the attackers\u2019 control server. The malware then silently harvests credentials, crypto-wallet data, browser profiles and more.<\/p>\n

\u201cTracing the malicious npm package tailwind-magic led us to a Vercel-hosted staging endpoint, tetrismic[.]vercel[.]app,and from there to the threat actor controlled GitHub account which contained 18 repositories,\u201d Socket\u2019s senior threat intelligence analyst Kirill Boychenko said in a blog post<\/a>, crediting related research<\/a> by Kieran Miyamoto that helped confirm the malicious GitHub account stardev0914.<\/p>\n

<\/a>A \u2018full stack\u2019adversary: GitHub, Vercel, and NPM<\/h2>\n

What makes this campaign stand out is the layered infrastructure behind it. Socket\u2019s analysis traced not just the NPM packages but also how the attackers built a complete delivery pipeline: malware serving repositories on GitHub, staging servers on Vercel, and separate C2 servers for exfiltration and remote command execution.<\/p>\n

Through this setup, attackers can rotate payloads, update malware unobtrusively, and tailor deployments per target\u2014all while blending deeply into the legitimate developer ecosystem, according to Boychenko.<\/p>\n

Once installed, OtterCookie doesn\u2019t just run and vanish: It remains persistent, capable of logging keystrokes, hijacking the clipboard, scanning the filesystem, capturing screenshots, and grabbing browser and wallet credentials across Windows, macOS and Linux.<\/p>\n

The campaign actors\u2019 intensified NPM activity arrives at a worrying moment for the JavaScript and open-source ecosystem. In recent months, the community has seen a flurry of NPM-based attacks \u2014 including worm-style campaigns<\/a> that transformed popular packages into Trojan horses, automated credential theft<\/a>, and widespread supply chain compromise<\/a> across both development and CI environments.<\/p>\n

This article was first published on Infoworld<\/a>.<\/p>\n\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"

Researchers at Socket have uncovered more details of a sophisticated software supply-chain operation linked to the Contagious Interview campaign attacking developers who rely on packages from NPM. They report finding a \u201cfull stack\u201d operation behind the attacks, where code hosting, package distribution, staging servers and command-and control (C2) infrastructure are orchestrated much like a legitimate […]<\/p>\n","protected":false},"author":0,"featured_media":6025,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-6024","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/6024"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=6024"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/6024\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/6025"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=6024"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=6024"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=6024"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}