Inside the GitHub Infrastructure Powering North Korea’s Contagious Interview npm Attacks

North Korea's Contagious Interview operation has intensified its infiltration of the npm ecosystem, expanding with at least 197 new malicious packages and over 31,000 additional downloads, targeting blockchain and Web3 developers via fake job interviews and test assignments. This prolific campaign leverages a sophisticated infrastructure involving GitHub, Vercel, and command and control servers to deliver OtterCookie malware, which performs a range of malicious activities such as keylogging, clipboard theft, and the exfiltration of crypto-wallet data. The operation involves typosquatted npm packages like tailwind-magic, which masquerade as legitimate utilities while executing threat actor-supplied code. Despite the removal of the GitHub account stardev0914, the techniques and infrastructure continue to evolve, with the campaign adapting to modern development workflows. Security measures are recommended, including the hardening of CI environments, network egress controls, and rigorous review processes for new templates and dependencies to mitigate the risk of such supply chain attacks.