The Contagious Trader campaign represents a coordinated and sophisticated malware operation attributed with high confidence to North Korean (DPRK) threat actors, specifically linked to groups such as FAMOUS CHOLLIMA and Lazarus. This campaign targets cryptocurrency users by weaponizing malicious cryptocurrency trading bots hosted on GitHub. These bots incorporate malicious npm dependencies that facilitate the exfiltration of sensitive user data, including private keys critical for cryptocurrency wallet access. The attackers utilize a combination of open-source infrastructure platforms—GitHub for hosting, npm for package distribution, and Vercel for deployment—to distribute and maintain their malware. The campaign employs advanced evasion techniques such as Base64-encoded payload URLs to obscure malicious code and anonymizing VPNs to mask the origin of npm package publishing activities. This campaign marks a tactical shift from the earlier Contagious Interview campaign, broadening the scope to target a wider range of cryptocurrency users and trading bot projects. The malware leverages multiple MITRE ATT&CK techniques, including data exfiltration (T1041), credential access (T1056.001), command and scripting interpreter usage (T1059.007), and persistence mechanisms (T1547.001). Indicators of compromise include a set of malicious IP addresses and domains used for command and control and data exfiltration. Although no known exploits in the wild have been reported, the campaign’s infrastructure and tactics demonstrate a high level of operational security and sophistication consistent with DPRK cyber operations. The campaign’s goal is primarily financial gain through theft of cryptocurrency assets by compromising trading bots and stealing private keys.

Organizations and individual cryptocurrency users worldwide face significant risks from this campaign. The compromise of cryptocurrency trading bots can lead to theft of private keys and unauthorized transactions, resulting in direct financial losses. Cryptocurrency exchanges, wallet providers, and trading bot developers may experience reputational damage and loss of customer trust if their platforms or software are implicated. The campaign’s use of legitimate infrastructure like GitHub and npm complicates detection and mitigation, increasing the likelihood of successful infections. The exfiltration of sensitive data undermines confidentiality and integrity of user assets. Given the global nature of cryptocurrency markets, the financial impact can be widespread, affecting users in multiple countries. Additionally, the campaign’s sophisticated evasion techniques may delay incident response and forensic investigations. The medium severity rating reflects the targeted nature of the attack, the complexity of exploitation, and the potential for significant financial damage to affected users and organizations.

To mitigate risks from the Contagious Trader campaign, organizations and users should implement a multi-layered defense strategy. First, thoroughly vet and audit all third-party cryptocurrency trading bots and npm packages before deployment, focusing on code integrity and provenance. Employ strict supply chain security practices, including the use of package signing and integrity verification tools. Monitor network traffic for connections to known malicious IP addresses and domains associated with this campaign, and block or isolate suspicious communications. Implement runtime behavior monitoring to detect anomalous data exfiltration or unauthorized access to private keys. Use hardware wallets or secure enclave technologies to protect private keys from software-based compromise. Regularly update and patch all development and deployment environments, including npm dependencies and GitHub repositories. Educate developers and users about the risks of using unverified trading bots and the importance of secure credential management. Employ anomaly detection and threat intelligence feeds to identify emerging indicators related to this campaign. Finally, consider isolating cryptocurrency trading environments from general-purpose networks to limit lateral movement and data leakage.