2026-07-18 · view entry permalink →
Contagious Interview (DPRK) hides an OTTERCOOKIE-aligned payload in SVG-comment steganography inside fake coding-interview repos
Elastic Security Labs disclosed a new instance of the long-running DPRK-aligned Contagious Interview campaign (internally tracked REF9403) after the operators targeted Elastic's own community Slack workspace with a fake job posting and a "coding challenge" project (Elastic Security Labs, 2026-07-18). The lure is a fully functional take-home project — a Next.js e-commerce template copied from a real open-source repository — that a candidate is asked to run. The novelty is where the payload hides: it is "split into Base64 fragments inside HTML comments across every SVG flag image inside an assets directory" (Elastic Security Labs, 2026-07-18). The files look like ordinary country-flag images; a JavaScript loader in the repo reassembles the comment fragments from every flag in alphabetical order, decodes them with a custom Base64 routine, and runs the result with eval() — deliberately avoiding atob() and Buffer.from so simple content scanners do not flag the decode. Because the project's package.json wires the loader into the server entry point, the payload runs on every npm run dev / npm start, and the trojanized repositories "have zero detections and are not flagged by any AV vendors" (Elastic Security Labs, 2026-07-18).
The payload is a four-stage chain Elastic assesses as aligned with OTTERCOOKIE (first documented by NTT Security in December 2024, overlapping the BEAVERTAIL lineage). Stage one enumerates browser profiles across Windows, macOS and Linux and steals saved credentials, autofill data and cryptocurrency-wallet-extension stores, masquerading its process as a benign npm-cache process. Stage two recursively discovers and exfiltrates sensitive files — environment files, private keys, keychains, shell histories, documents and source code. Stage three opens a persistent Socket.IO command-and-control channel giving the operator interactive shell execution, with sandbox/VM detection used to tag rather than halt on analysis machines. Stage four (Windows) drops further second-stage binaries disguised as text files and adds a clipboard stealer polling every 500 ms.
The payloads are split into Base64 fragments inside HTML comments across every SVG flag image inside an assets directory.
These trojanized repositories at the time of writing have zero detections and are not flagged by any AV vendors