A North Korea-linked campaign known as Contagious Interview has published malicious packages across Go, Rust, PHP, npm and PyPI, with a technical analysis from Socket saying the activity has now passed 1,700 malicious packages since January 2025.
KEY FACTS
- Scope The latest packages targeted five open-source ecosystems.
- Delivery The code was hidden inside functions that matched the packages’ stated purpose.
- Payload The second stage included infostealer and remote access features.
- Impact One Windows variant could run commands, log keystrokes and deploy AnyDesk.
The packages were presented as legitimate developer tools, including logging and license-related libraries. In several cases, the malicious code was not triggered during installation and was instead embedded in normal-looking functions, making detection harder.
The report said the payloads were designed to steal data from web browsers, password managers and cryptocurrency wallets. It also said one Windows version delivered through the license-utils-kit package could upload files, terminate browsers, create an encrypted archive and download additional modules.
The wider campaign fits a broader pattern of supply chain attacks tied to North Korean hacking groups. The article also cited the poisoning of the Axios npm package to deliver malware after an account takeover, along with a separate disclosure that 164 domains impersonating Microsoft Teams and Zoom were blocked between February 6 and April 7, 2026.
Microsoft said the financially motivated activity continues to evolve in tooling, infrastructure and targeting. The company said the actors have used domains that impersonate U.S.-based financial institutions and video conferencing services.
WHY IT MATTERS
The findings show how a long-running campaign is using trusted software repositories and fake meeting links to gain access to developer and corporate systems. That raises the risk of credential theft, remote access and follow-on compromise across multiple operating systems.