OtterCookie's fake interview now steals AI-tool configs
Elastic Security Labs catches the DPRK's Contagious Interview crew hiding a four-stage payload in SVG country flag files — and the new file stealer specifically hunts .claude, .cursor, .gemini, and .windsurf configs.
Elastic Security Labs told The Hacker News today that the DPRK-linked crew behind Contagious Interview has landed a new twist on the same tired trick: a fake recruiter in Slack, a coding “assessment” repository, a functional-looking Next.js project — and, buried inside a directory of country-flag SVGs, a four-stage payload aligned with the malware family Elastic and Microsoft have been calling OtterCookie. Elastic tracks the intrusion set as REF9403. No CVE, no vendor patch to point at. The pattern itself is the story.
What Elastic actually saw
Elastic’s own community got picked as the target. Late May, a user named “Maxwell” surfaced in the #jobs channel of Elastic’s public Slack, recruiting for an “e-commerce platform upgrade” — Next.js 14, NestJS, PostgreSQL, Auth.js, Stripe, all the pieces a mid-level full-stack dev would find plausible. Candidates were funneled into a coding test hosted in a repository that did in fact run: real code, real dependencies, real functionality. The malicious component was in the assets directory, in a folder of SVG country flags — AE.svg, AF.svg, and so on. Each flag file carried HTML comments with base64 fragments injected between the SVG paths. A file called serverValidation.js walked the folder on server boot, glued the fragments back together, and detonated.
Anyone who ran the project ended up, per Elastic, with four stages: a browser credential and cryptocurrency wallet stealer, a file stealer, a Socket.IO-based RAT capable of executing shell commands, and a clipboard stealer. Cross-platform, module-loading, VM-aware.
The file stealer’s target list is the news
OtterCookie’s file stealer used to hunt what you’d expect a stealer to hunt: browser profiles, wallet files, shell history. Elastic’s current sample keeps all of that — and adds explicit extensions for the local config directories of AI coding assistants. .claude. .cursor. .gemini. .windsurf. .pearai. .llama.
That is not a random addition. Those directories are where a working developer’s day now lives: API keys for the underlying provider, project-scoped instructions the agent has been told to trust, cached memory files, MCP server configurations, sometimes long-running session context. On many machines they carry more real access than the browser cookie jar does. If you have shell to a dev laptop and you can read ~/.claude and ~/.cursor on the way out, you have leverage against whatever the developer’s agent has recently been asked to touch — repos, cloud consoles, ticketing systems, the lot.
The stealer doesn’t need a zero-day to do that. It just needs the developer to have run the coding test.
Contagious Interview, still contagious
The interview-lure pattern here is old. Contagious Interview has been publicly tracked since December 2022 or earlier, and this same actor cluster has been the subject of several recent write-ups on this site — the 108 malicious npm, Packagist, Go, and Chrome-extension listings we covered on July 4, the Rollup-polyfill supply-chain angle from July 3, Elastic’s own ScmBanker/REF6045 work from earlier this month. The steganography wrapper is new; the delivery vector — “we’re hiring, please clone this repo and run it” — is a lure that has been quietly effective against developers for going on four years now, which is longer than several of the languages in the fake job description have been at 1.0.
Steganography as a stage-one hider is likewise not novel. Hiding payload bytes inside image files predates most of the developers this crew is now recruiting; the SVG variant only stands out because SVG is text, so the “image” doesn’t need to be a carefully-crafted binary — you can literally drop base64 blobs into HTML comments between the path elements and the file will still render as a flag. The cleverness is in the choice of a folder nobody looks at twice. Everyone has a country-flag picker in the corner of a form. Nobody grep’s the SVGs.
What defenders do
Elastic’s writeup lays this out cleanly, and the useful moves are the boring ones. Don’t run interview code on your daily-driver box. If you must, run it in a disposable VM with no access to the host’s home directory. Watch for network I/O to Socket.IO endpoints from processes that shouldn’t be reaching the internet at all. And — the underrated one — treat the ~/.claude, ~/.cursor, ~/.gemini, and equivalent config directories the way you already treat ~/.ssh and ~/.aws: back them by filesystem permissions your development shell doesn’t casually inherit, and rotate the credentials they hold on any suspicion of exposure.
The delivery is a coding test. The trust is in the AI-assistant configs. The lesson has not changed. The names of the folders being stolen have.
Found this useful? Share it.


