08.04.2026
4 min
291
North Korean hackers have launched one of the largest attacks on the open source ecosystem, distributing over 1,700 malicious packages in popular repositories. The campaign covers npm, PyPI, Go, Rust, and other platforms and is already seen as a systemic threat to developers around the world.
North Korea’s Contagious Interview campaign has expanded again and is currently including many other public open-source platforms. Attackers are creating and publishing large quantities of packages with malicious intent toward Go, Rust, and PHP; the packages then become a portal for exploitation of the developers’ environment.
Kirill Boychenko, a security researcher for Socket, reported that the packages appear to be normal development tool packages however; they actually serve as malware loaders. “Packages published by attackers posed as legitimate development tools […], yet acted as malware loaders, thereby expanding the already proven Contagious Interview concept to include a coordinated supply chain attack in multiple ecosystems,” he said.
Below are the packages identified as malicious:
npm: dev-log-core, logger-base, logkitx, pino-debugger, debug-fmt, debug-glitz
PyPI: logutilkit, apachelicense, fluxhttp, license-utils-kit
Go: github[.]com/golangorg/formstash, github[.]com/aokisasakidev/mit-license-pkg
Rust: logtrace
Go package: golangorg/logkit
Each of the above works similarly. Upon activation of each of the packages, a second-stage attack begins. This second stage consists of an “infostyler” and a Remote Access Trojan (RAT). All of the malicious code is intended to steal data from browsers, password manager applications, and cryptocurrency wallet applications.
There was one variation of the campaign specifically designed for Windows. It is deployed via the license-utils-kit package. The version included a fully functional post-exploitation toolkit. The toolkit contained functionality that allowed attackers to perform commands remotely, capture keystroke entries, retrieve browser-based data, download files, close browsers, enable remote desktop connections utilizing AnyDesk for remote access, create encrypted zip files, and add additional modules.
As explained by Boychenko, this level of functionality increases the danger associated with the campaign due to both its sheer volume and level of sophistication involved post-infection. “This cluster is notable not only for its multi-ecosystem scope but also for the depth of post-exploitation capabilities embedded within at least a portion of this campaign,” he stated.
An additional factor that contributes to increased difficulty in detecting this malware is that it will not activate upon initial deployment. Instead, it is concealed within common functions described in the package documentation. For instance, the malicious code used in the Rust-based logtrace library was embedded within the Logger::trace(i32) function, which would likely generate little-to-no suspicious activity.
The fact that Contagious Interview now spans five different ecosystems simultaneously indicates a highly organized and extended operation. Its objective is straightforward: to infiltrate developer environments systematically through tainted developer tools for espionage and monetary gains.
Since the beginning of 2025, Socket reports identifying more than 1,700 malicious packages deployed during this campaign.
Contagious Interview is one of several waves of software supply-chain attacks linked to North Korean groups. Previously, they successfully infected the Axios npm package and utilized it to spread the WAVESHAPER.V2 backdoor by gaining control over a developer account through social engineering.
The UNC1069 cluster is responsible for the attack. It has also been tied to BlueNoroff, Sapphire Sleet and Stardust Chollima. Security Alliance states that from February 6th – April 7th 2026 alone 164 domains imitating services such as Microsoft Teams and Zoom were blocked.
It appears that the tactic itself is quite innovative. The attackers may spend weeks establishing relationships with victims on Telegram, LinkedIn or Slack and identify themselves as either acquaintance(s) or company(ies). At that point the victim receives a false URL to a Zoom/Teams meeting.
These URLs act as bait and initiate malware that connects to the attackers server and begin collecting sensitive information. Malware infects systems running on Windows, macOS, and Linux.
Curiously enough, attackers do not rush to utilize their implants immediately after they have gained access to a system. The implant remains dormant for a period of time while allowing users continue working normally without realizing they have been breached. Utilizing this strategy allows hackers to maintain stealthiness longer than typical campaigns, thus providing an opportunity for them to gather as much information as possible.
Sherrod DeGrippo, Microsoft’s Head of Threat Intelligence stated that although the groups continue to develop new tools and techniques their overall intentions and behaviors remain unchanged.
