North Korean hackers linked to the Contagious Interview campaign have added 197 malicious packages to the npm registry, bringing the total to a staggering 31,000 downloads. These packages are designed to deliver a new variant of OtterCookie, integrating features from both BeaverTail and previous OtterCookie versions. Some of the compromised package names include bcryptjs-node, session-keeper, and tailwindcss-forms. The malware aims to evade detection by sandboxes and virtual machines, allowing attackers to establish a command-and-control channel, steal sensitive data, and remotely control infected machines. The malware connects to a hard-coded Vercel URL to fetch its payload, which is hosted on an inaccessible GitHub account. Security researcher Kirill Boychenko remarked on the scale of this campaign, noting how effectively North Korean actors have adapted their tactics to exploit modern JavaScript development environments. In parallel, the attackers have also created fake job assessment websites that deliver another malware variant called GolangGhost. This malware disguises itself as a solution for camera or microphone issues and gathers system information, runs commands, and collects data from Google Chrome. Further complicating the situation, the GolangGhost malware uses a decoy application to trick users with fake prompts, ultimately capturing login credentials and sending them to a Dropbox account. Unlike other DPRK IT schemes that embed actors in legitimate businesses, the Contagious Interview campaign specifically targets individuals through deceptive recruitment practices. This approach weaponizes the job application process, making it a significant threat to unsuspecting job seekers.