North Korean Hackers Infiltrate Open-Source Ecosystems with 1,700 Malicious Packages
In a significant escalation of cyber threats, the North Korean state-sponsored campaign known as Contagious Interview has expanded its reach by distributing over 1,700 malicious packages across multiple open-source ecosystems, including npm, PyPI, Go, Rust, and PHP. This concerted effort underscores the persistent and evolving nature of supply chain attacks targeting developers and organizations worldwide.
Scope and Methodology of the Attack
Security researchers at Socket have identified that these malicious packages are meticulously crafted to mimic legitimate developer tools. Once integrated into a project, they function as malware loaders, deploying platform-specific payloads designed to exfiltrate sensitive information. The primary targets include data stored in web browsers, password managers, and cryptocurrency wallets.
A notable example is the license-utils-kit package, which, when executed on Windows systems, installs a comprehensive post-compromise implant. This implant is capable of executing shell commands, logging keystrokes, stealing browser data, uploading files, terminating web browsers, deploying remote access tools like AnyDesk, creating encrypted archives, and downloading additional malicious modules.
Stealth Techniques Employed
The sophistication of this campaign is evident in its stealth techniques. Unlike traditional malware that activates upon installation, the malicious code within these packages is embedded within functions that appear legitimate and align with the package’s advertised purpose. For instance, in the logtrace package, the harmful code is concealed within the Logger::trace(i32) method, a function that would not typically raise suspicion among developers.
Broader Implications and Connections
The expansion of the Contagious Interview campaign across multiple open-source ecosystems highlights a well-resourced and persistent supply chain threat. The objective is to systematically infiltrate these platforms, using them as initial access points to breach developer environments for espionage and financial gain.
Since January 2025, over 1,700 malicious packages linked to this activity have been identified. This discovery is part of a broader pattern of software supply chain compromises orchestrated by North Korean hacking groups. Notably, the popular Axios npm package was compromised to distribute an implant called WAVESHAPER.V2 after attackers took control of the package maintainer’s npm account through a targeted social engineering campaign.
The attack has been attributed to a financially motivated threat actor known as UNC1069, which overlaps with groups such as BlueNoroff, Sapphire Sleet, and Stardust Chollima. Between February 6 and April 7, 2026, Security Alliance (SEAL) reported blocking 164 domains linked to UNC1069 that impersonated services like Microsoft Teams and Zoom.
Social Engineering Tactics
UNC1069 employs prolonged, low-pressure social engineering campaigns across platforms like Telegram, LinkedIn, and Slack. They impersonate known contacts or credible brands, or leverage access to previously compromised accounts, to deliver fraudulent meeting links for services like Zoom or Microsoft Teams. These fake meeting links are used to serve ClickFix-like lures, leading to the execution of malware that contacts attacker-controlled servers for data theft and targeted post-exploitation activities across Windows, macOS, and Linux systems.
Operators deliberately do not act immediately following initial access. The implant is left dormant or passive for a period following compromise. The target typically reschedules the failed call and continues normal operations, unaware that the device is compromised. This patience extends the operational window and maximizes the value extracted before any incident response is triggered.
Evolving Threat Landscape
Microsoft has observed that financially-driven North Korean threat actors are actively evolving their toolsets and infrastructure. They use domains masquerading as U.S.-based financial institutions and video conferencing applications for social engineering. There is ongoing evolution in how DPRK-linked, financially motivated actors operate, with shifts in tooling, infrastructure, and targeting, but with clear continuity in behavior and intent.
Conclusion
The Contagious Interview campaign’s expansion into multiple open-source ecosystems signifies a sophisticated and persistent threat to the software supply chain. By embedding malicious code within seemingly legitimate packages, North Korean threat actors are effectively compromising developer environments, leading to potential espionage and financial theft. Developers and organizations must exercise heightened vigilance, conduct thorough code reviews, and implement robust security measures to mitigate the risks associated with such supply chain attacks.
