Researchers at Socket have uncovered new insights into a sophisticated software supply-chain operation linked to the Contagious Interview campaign. This campaign targets developers who rely on packages from NPM, employing a “full stack” approach that mimics legitimate software development processes to deceive victims.

The Full Stack of Malicious Operations

Socket reports that the attackers orchestrate code hosting, package distribution, staging servers, and command-and-control (C2) infrastructure in a manner similar to genuine software pipelines. This layered setup allows them to deliver malicious payloads while maintaining an appearance of legitimacy.

In the latest wave, nearly 200 malicious NPM packages were uploaded, resulting in over 31,000 downloads. The attackers lure victims with fake job interviews and coding assignments related to Web3 and blockchain, prompting developers to pull dependencies for “test projects” that contain trojanized packages.

How the Attack Works

When developers install these compromised packages, they unknowingly trigger post-install scripts that connect to staging endpoints hosted on platforms like Vercel. These endpoints fetch payloads from threat-controlled repositories, such as a GitHub account named “stardev0914.”

The payloads, including variants of OtterCookie and BeaverTail, execute on the victim’s machine, enabling credential theft, system monitoring, and remote access capabilities. This allows attackers to hijack developer accounts and control affected systems.

Socket emphasizes that these attacks rely heavily on social engineering, exploiting trust in familiar package names and development workflows to bypass defenses.

Protective Measures for Developers

To defend against such threats, Socket recommends treating every “npm install” as a potential risk of remote code execution. Developers should restrict access for continuous-integration (CI) runners, enforce network egress controls, and review new code or dependencies pulled from repositories like GitHub.

Additional best practices include scrutinizing unfamiliar helper packages, pinning specific versions, and using lockfiles instead of auto-updating dependencies. Automated package analysis tools can also help identify threats early by detecting import-time loaders, network probing, or data exfiltration attempts before they reach developer workstations or CI systems.

Implementing these security measures ensures that dependency onboarding and code reviews serve as effective filters, reducing the risk of falling victim to Contagious Interview-style attacks.

Inspired by

• https://www.infoworld.com/article/4098666/contagious-interview-attackers-go-full-stack-to-fool-you.html

Sources

• csoonline.com
• csoonline.com
• socket.dev
• kmsec.uk
• csoonline.com