Inside the GitHub Infrastructure Powering North Korea’s Contagious Interview npm Attacks
Contents
Inside the GitHub Infrastructure Powering North Korea’s Contagious Interview npm Attacks
Socket Threat Research maps a rare inside look at OtterCookie’s npm-Vercel-GitHub chain, adding 197 malicious packages and evidence of North Korean operators.
Inside the GitHub Infrastructure Powering North Korea’s Contagious Interview npm Attacks
Kirill Boychenko
November 26, 2025
The Socket Threat Research Team continues to track North Korea’s Contagious Interview operation as it systematically infiltrates the npm ecosystem. Since we last reported on this campaign, it has added at least 197 more malicious npm packages and over 31,000 additional downloads, with state-sponsored threat actors targeting blockchain and Web3 developers through fake job interviews and “test assignments”. This sustained tempo makes Contagious Interview one of the most prolific campaigns exploiting npm, and it shows how thoroughly North Korean threat actors have adapted their tooling to modern JavaScript and crypto-centric development workflows.
Within this recent wave of malicious npm packages, we documented a rare inside view of …
Socket Threat Research maps a rare inside look at OtterCookie’s npm-Vercel-GitHub chain, adding 197 malicious packages and evidence of North Korean operators.
Inside the GitHub Infrastructure Powering North Korea’s Contagious Interview npm Attacks
Kirill Boychenko
November 26, 2025
The Socket Threat Research Team continues to track North Korea’s Contagious Interview operation as it systematically infiltrates the npm ecosystem. Since we last reported on this campaign, it has added at least 197 more malicious npm packages and over 31,000 additional downloads, with state-sponsored threat actors targeting blockchain and Web3 developers through fake job interviews and “test assignments”. This sustained tempo makes Contagious Interview one of the most prolific campaigns exploiting npm, and it shows how thoroughly North Korean threat actors have adapted their tooling to modern JavaScript and crypto-centric development workflows.
Within this recent wave of malicious npm packages, we documented a rare inside view of …