A persistent North Korea-related campaign known as Contagious Interview has spread its tentacles by publishing malicious packages targeting the Go, Rust, and PHP ecosystems.
“The threat actor’s package was designed to impersonate a legitimate developer tool.” […]”While silently acting as a malware loader, it extends Contagious Interview’s established strategy to coordinated supply chain operations across ecosystems,” Socket security researcher Kirill Boychenko said in a report on Tuesday.
The complete list of identified packages is:
npm: dev-log-core, logger-base, logkitx, pino-debugger, debug-fmt, debug-glitz PyPI: logutilkit, apachelicense, fluxhttp, license-utils-kit Go: github[.]com/golangorg/formstash, github[.]com/aokisasakidev/mit-license-pkg Rust: logtrace package list: golangorg/logkit
These loaders are designed to retrieve a platform-specific second stage payload, which turns out to be malware with information theft and remote access Trojan (RAT) capabilities. It primarily focuses on collecting data from web browsers, password managers, and cryptocurrency wallets.
However, the Windows version of the malware delivered via “license-utils-kit” incorporates what Socket describes as a “full post-compromise implant” with the ability to execute shell commands, log keystrokes, steal browser data, upload files, close web browsers, deploy AnyDesk for remote access, create encrypted archives, and download additional modules.
“As such, this cluster is notable not only for its ecosystem-wide reach, but also for the depth of post-compromise functionality embedded in at least some of its campaigns,” Boychenko added.
What’s notable about the latest set of libraries is that no malicious code is triggered during installation. Rather, they are embedded in seemingly legitimate features that serve the package’s promotional purpose. For example, in the case of “logtrace,” the code is hidden within “Logger::trace(i32),” a method that is unlikely to arouse developer suspicion.
The expansion of Contagious Interview to five open source ecosystems is further indication that this campaign is a well-resourced and persistent supply chain threat designed to systematically infiltrate these platforms as an initial access conduit to infiltrate developer environments for espionage and financial gain.
Socket said it has identified a total of more than 1,700 malicious packages associated with this activity since early January 2025.
The discovery is part of a broader software supply chain compromise campaign carried out by a North Korean hacking group. This includes poisoning popular Axios npm packages and distributing an implant called WAVESHAPER.V2 after taking control of package maintainers’ npm accounts through a customized social engineering campaign.
This attack is believed to be the work of a financially motivated attacker known as UNC1069, which overlaps with BlueNoroff, Sapphire Sleet, and Stardust Chollima. In a report released today, the Security Alliance (SEAL) announced that from February 6, 2026, to April 7, 2026, it blocked 164 domains linked to UNC1069 that impersonated services such as Microsoft Teams and Zoom.
“UNC1069 has been conducting a low-pressure social engineering campaign across Telegram, LinkedIn, and Slack for several weeks, impersonating known contacts and trusted brands, and leveraging access to previously compromised corporate and personal accounts, before distributing fraudulent Zoom and Microsoft Teams meeting links,” the SEAL said.
These fake meeting links are used to deliver ClickFix-like decoys, resulting in the execution of malware that accesses attacker-controlled servers for data theft and targeted post-exploitation activities across Windows, macOS, and Linux.
“Operators intentionally do not take action immediately after initial access; the implant remains dormant or passive for a period of time following a breach,” Shields added. “The target typically reschedules the failed call and continues normal operations without realizing that the device has been compromised. This patience extends the operational window and maximizes the value extracted before incident response is triggered.”
Microsoft said in a statement shared with The Hacker News that financially motivated North Korean threat actors are actively evolving their toolsets and infrastructure, using domains masquerading as U.S.-based financial institutions and video conferencing applications for social engineering.
“What we consistently see is a continued evolution in how financially motivated threat actors associated with North Korea operate, changing their tools, infrastructure, and targeting, but with clear continuity in their behavior and intent,” said Sherrod DeGrippo, general manager of threat intelligence at Microsoft.
Source link
