North Korea’s Contagious Interview Campaign Spreads Across 5...

North Korea's Contagious Interview campaign has expanded its software supply chain attack operation across five package ecosystems: npm, PyPI, Go Modules, crates.io, and Packagist. Threat actors published malicious packages impersonating legitimate developer tooling (loggers, parsers, license utilities) that hide loader logic behind routine-looking API methods. The packages contact attacker-controlled infrastructure to fetch staged payloads, download ZIP archives, and execute platform-specific malware. The most capable package, license-utils-kit, bundles a full post-compromise implant with keylogging, browser/wallet theft, file collection, and remote shell capabilities. The campaign is linked to GitHub aliases including golangorg, aokisasakidev, and maxcointech1010. Over 1,700 malicious packages have been tracked since 2024. Defenders are advised to treat utility packages contacting remote infrastructure as high risk, pin dependencies, and sandbox suspicious packages before use.