North Korean hackers poison npm packages to hit developers and steal crypto
The North Korean campaign known as Contagious Interview is still expanding its assault on software developers, now leaning on poisoned developer tools and fake job offers. Researchers at Proofpoint and Expel describe obfuscated malicious npm packages, published from throwaway accounts, that install the OtterCookie infostealer through a post-install script, alongside recruitment and code-review phishing lures. The group is using generative AI to build its malware loaders and to set up fake companies and LinkedIn profiles for social engineering. Expel says the operation stole $12 million in cryptocurrency in the first three months of 2026, draining more than 26,000 wallets from over 2,700 infected developer machines.
- Check
- Audit developer machines and CI pipelines for recently installed npm packages with post-install scripts from unfamiliar publishers, and review whether staff engaged with unsolicited recruiters or take-home coding tests.
- Affected
- Software developers, especially in cryptocurrency, Web3, and blockchain, targeted through malicious npm packages and fake job interviews; their machines, wallets, and source code are the goal.
- Fix
- Vet dependencies before installing, block install-time scripts in CI, isolate untrusted coding tests in disposable sandboxes, and train developers to treat unsolicited recruiter outreach and test assignments as suspect.