North Korea's Contagious Interview Campaign Spreads Across 5 Ecosystems, Delivering Staged RAT Payloads
A North Korean threat operation has published malicious packages across npm, PyPI, Go Modules, crates.io, and Packagist, impersonating legitimate developer tooling. The campaign uses GitHub aliases including golangorg and aokisasakidev to distribute staged malware loaders that contact actor-controlled infrastructure, retrieve payloads from Google Drive, and deliver platform-specific second-stage malware. The loaders are hidden behind normal-looking API functions in logging and utility libraries. Windows variants include full remote access trojans with capabilities for shell execution, keylogging, browser and wallet theft, sensitive file collection, and AnyDesk deployment. The operation demonstrates coordinated cross-ecosystem supply chain attacks with shared infrastructure patterns, reused extraction directories, and consistent staging logic across multiple programming languages.
AI Analysis
Technical Summary
The Contagious Interview campaign is a North Korean supply chain attack operation that distributes malicious packages across five popular software package ecosystems (npm, PyPI, Go Modules, crates.io, and Packagist). The attackers use GitHub aliases such as golangorg and aokisasakidev to publish staged malware loaders disguised as legitimate developer tooling libraries. These loaders contact attacker-controlled infrastructure to download second-stage malware payloads hosted on Google Drive. The malicious code is hidden behind seemingly normal API functions in logging and utility libraries. Windows variants of the malware include full-featured remote access trojans with capabilities including shell command execution, keylogging, theft of browser data and cryptocurrency wallets, collection of sensitive files, and installation of AnyDesk for remote access. The campaign is notable for its cross-ecosystem coordination, reuse of extraction directories, and consistent staging logic across different programming languages. There is no CVE or patch information available, and no known active exploitation has been reported.
Potential Impact
If successfully integrated into a developer's environment, these malicious packages can lead to remote compromise of affected systems, including unauthorized shell access, credential theft, keylogging, theft of cryptocurrency wallets, and sensitive data exfiltration. The deployment of AnyDesk enables persistent remote control by the attacker. The cross-ecosystem nature increases the risk of widespread impact across diverse development environments. However, no known exploits in the wild have been confirmed at this time.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory and ecosystem-specific security advisories for current remediation guidance. Developers should verify the authenticity and integrity of packages before use, avoid installing packages from untrusted sources or suspicious GitHub aliases, and monitor for indicators of compromise such as the provided hashes and domains. Since this is a supply chain attack involving multiple ecosystems, organizations should consider implementing supply chain security best practices such as dependency auditing and restricting package sources. No official fixes or vendor advisories are currently available.
Indicators of Compromise
- hash: 7c5adef4b5aee7a4aa6e795a86f8b7d601618c3bc003f1326ca57d03ec7d6524
- hash: 9a541dffb7fc18dc71dbc8523ec6c3a71c224ffeb518ae3a8d7d16377aebee58
- hash: bb2a89001410fa5a11dea6477d4f5573130261badc67fe952cfad1174c2f0edd
- domain: self.run
North Korea's Contagious Interview Campaign Spreads Across 5 Ecosystems, Delivering Staged RAT Payloads
Description
A North Korean threat operation has published malicious packages across npm, PyPI, Go Modules, crates.io, and Packagist, impersonating legitimate developer tooling. The campaign uses GitHub aliases including golangorg and aokisasakidev to distribute staged malware loaders that contact actor-controlled infrastructure, retrieve payloads from Google Drive, and deliver platform-specific second-stage malware. The loaders are hidden behind normal-looking API functions in logging and utility libraries. Windows variants include full remote access trojans with capabilities for shell execution, keylogging, browser and wallet theft, sensitive file collection, and AnyDesk deployment. The operation demonstrates coordinated cross-ecosystem supply chain attacks with shared infrastructure patterns, reused extraction directories, and consistent staging logic across multiple programming languages.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The Contagious Interview campaign is a North Korean supply chain attack operation that distributes malicious packages across five popular software package ecosystems (npm, PyPI, Go Modules, crates.io, and Packagist). The attackers use GitHub aliases such as golangorg and aokisasakidev to publish staged malware loaders disguised as legitimate developer tooling libraries. These loaders contact attacker-controlled infrastructure to download second-stage malware payloads hosted on Google Drive. The malicious code is hidden behind seemingly normal API functions in logging and utility libraries. Windows variants of the malware include full-featured remote access trojans with capabilities including shell command execution, keylogging, theft of browser data and cryptocurrency wallets, collection of sensitive files, and installation of AnyDesk for remote access. The campaign is notable for its cross-ecosystem coordination, reuse of extraction directories, and consistent staging logic across different programming languages. There is no CVE or patch information available, and no known active exploitation has been reported.
Potential Impact
If successfully integrated into a developer's environment, these malicious packages can lead to remote compromise of affected systems, including unauthorized shell access, credential theft, keylogging, theft of cryptocurrency wallets, and sensitive data exfiltration. The deployment of AnyDesk enables persistent remote control by the attacker. The cross-ecosystem nature increases the risk of widespread impact across diverse development environments. However, no known exploits in the wild have been confirmed at this time.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory and ecosystem-specific security advisories for current remediation guidance. Developers should verify the authenticity and integrity of packages before use, avoid installing packages from untrusted sources or suspicious GitHub aliases, and monitor for indicators of compromise such as the provided hashes and domains. Since this is a supply chain attack involving multiple ecosystems, organizations should consider implementing supply chain security best practices such as dependency auditing and restricting package sources. No official fixes or vendor advisories are currently available.
Technical Details
- Author
- AlienVault
- Tlp
- white
- References
- ["https://socket.dev/blog/contagious-interview-campaign-spreads-across-5-ecosystems"]
- Adversary
- Contagious Interview
- Pulse Id
- 69d61d25c472b8eb580c2996
- Threat Score
- null
Indicators of Compromise
Hash
| Value | Description | Copy |
|---|---|---|
hash7c5adef4b5aee7a4aa6e795a86f8b7d601618c3bc003f1326ca57d03ec7d6524 | — | |
hash9a541dffb7fc18dc71dbc8523ec6c3a71c224ffeb518ae3a8d7d16377aebee58 | — | |
hashbb2a89001410fa5a11dea6477d4f5573130261badc67fe952cfad1174c2f0edd | — |
Domain
| Value | Description | Copy |
|---|---|---|
domainself.run | — |
Threat ID: 69d636951cc7ad14da612c2f
Added to database: 4/8/2026, 11:05:57 AM
Last enriched: 4/8/2026, 11:21:02 AM
Last updated: 4/9/2026, 8:16:35 AM
Views: 45
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.