N. Korean Hackers Spread 1,700 Malicious Packages Across npm, PyPI, Go, Rust

Summary

The Contagious Interview campaign, linked to North Korea, has published over 1,700 malicious packages across multiple package managers (npm, PyPI, Go, Rust, and Packagist) designed to impersonate legitimate developer tooling while functioning as malware loaders. The packages deliver second-stage payloads with infostealer and RAT capabilities targeting browsers, password managers, and cryptocurrency wallets, with Windows versions including full post-compromise implants for command execution and keylogging. The campaign is part of a broader financially motivated North Korean operation that also compromised the Axios npm package and uses social engineering via fake Zoom/Teams links attributed to UNC1069/BlueNoroff.

Full text

N. Korean Hackers Spread 1,700 Malicious Packages Across npm, PyPI, Go, Rust Ravie LakshmananApr 08, 2026Malware / Threat Intelligence The North Korea-linked persistent campaign known as Contagious Interview has spread its tentacles by publishing malicious packages targeting the Go, Rust, and PHP ecosystems. "The threat actor's packages were designed to impersonate legitimate developer tooling [...], while quietly functioning as malware loaders, extending Contagious Interview’s established playbook into a coordinated cross-ecosystem supply chain operation," Socket security researcher Kirill Boychenko said in a Tuesday report. The complete list of identified packages is as follows - npm: dev-log-core, logger-base, logkitx, pino-debugger, debug-fmt, debug-glitz PyPI: logutilkit, apachelicense, fluxhttp, license-utils-kit Go: github[.]com/golangorg/formstash, github[.]com/aokisasakidev/mit-license-pkg Rust: logtrace Packagist: golangorg/logkit These loaders are designed to fetch platform-specific second-stage payloads, which turn out to be a piece of malware with infostealer and remote access trojan (RAT) capabilities. It's primarily focused on gathering data from web browsers, password managers, and cryptocurrency wallets. However, a Windows version of the malware delivered via "license-utils-kit" incorporates what's described by Socket as a "full post-compromise implant" that's equipped to run shell commands, log keystrokes, steal browser data, upload files, terminate web browsers, deploy AnyDesk for remote access, create an encrypted archive, and download additional modules. "That makes this cluster notable not just for its cross-ecosystem reach, but for the depth of post-compromise functionality embedded in at least part of the campaign," Boychenko added. What makes the latest set of libraries noteworthy is that the malicious code is not triggered during installation.Rather, it's embedded into seemingly legitimate functions that align with the package's advertised purpose. For instance, in the case of "logtrace," the code is concealed within "Logger::trace(i32)," a method that's unlikely to raise a developer's suspicion. The expansion of Contagious Interview across five open-source ecosystems is a further sign that the campaign is a well-resourced and persistent supply chain threat engineered to systematically infiltrate these platforms as initial access pathways to breach developer environments for espionage and financial gain. In all, Socket said it has identified more than 1,700 malicious packages linked to the activity since the start of January 2025. The discovery is part of a broader software supply chain compromise campaign undertaken by North Korean hacking groups. This includes the poisoning of the popular Axios npm package to distribute an implant called WAVESHAPER.V2 after taking control of the package maintainer's npm account via a tailored social engineering campaign. The attack has been attributed to a financially motivated threat actor known as UNC1069, which overlaps with BlueNoroff, Sapphire Sleet, and Stardust Chollima. Security Alliance (SEAL), in a report published today, said it blocked 164 UNC1069-linked domains impersonating services like Microsoft Teams and Zoom between February 6 and April 7, 2026. "UNC1069 operates multi-week, low-pressure social engineering campaigns across Telegram, LinkedIn, and Slack – either impersonating known contacts or credible brands or by leveraging access to previously compromised company and individual accounts – before delivering a fraudulent Zoom or Microsoft Teams meeting link," SEAL said. These fake meeting links are used to serve ClickFix-like lures, resulting in the execution of malware that contacts an attacker-controlled server for data theft and targeted post-exploitation activity across Windows, macOS, and Linux. "Operators deliberately do not act immediately following initial access. The implant is left dormant or passive for a period following compromise," SEAL added. "The target typically reschedules the failed call and continues normal operations, unaware that the device is compromised. This patience extends the operational window and maximizes the value extracted before any incident response is triggered." In a statement shared with The Hacker News, Microsoft said financially-driven North Korean threat actors are actively evolving their toolset and infrastructure, using domains masquerading as U.S.-based financial institutions and video conferencing applications for social engineering. "What we are seeing consistently is ongoing evolution in how DPRK-linked, financially motivated actors operate, shifts in tooling, infrastructure, and targeting, but with clear continuity in behavior and intent," Sherrod DeGrippo, general manager for threat intelligence at Microsoft, said. Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post. SHARE     Tweet Share Share Share SHARE  cybersecurity, data theft, Malware, Open Source, Remote Access Trojan, social engineering, supply chain attack, Threat Intelligence Trending News Microsoft Warns of WhatsApp-Delivered VBS Malware Hijacking Windows via UAC Bypass New Chrome Zero-Day CVE-2026-5281 Under Active Exploitation — Patch Released Apple Expands iOS 18.7.7 Update to More Devices to Block DarkSword Exploit Hackers Exploit CVE-2025-55182 to Breach 766 Next.js Hosts, Steal Credentials New SparkCat Variant in iOS, Android Apps Steals Crypto Wallet Recovery Phrase Images Microsoft Details Cookie-Controlled PHP Web Shells Persisting via Cron on Linux Servers Fortinet Patches Actively Exploited CVE-2026-35616 in FortiClient EMS Block the Prompt, Not the Work: The End of "Doctor No" BKA Identifies REvil Leaders Behind 130 German Ransomware Attacks ⚡ Weekly Recap: Axios Hack, Chrome 0-Day, Fortinet Exploits, Paragon Spyware and More China-Linked Storm-1175 Exploits Zero-Days to Rapidly Deploy Medusa Ransomware New GPUBreach Attack Enables Full CPU Privilege Escalation via GDDR6 Bit-Flips Docker CVE-2026-34040 Lets Attackers Bypass Authorization and Gain Host Access Anthropic's Claude Mythos Finds Thousands of Zero-Day Flaws Across Major Systems AI Will Change Cybersecurity. Humans Will Define Its Success. A Lesson No Algorithm Can Teach The AI Arms Race – Why Unified Exposure Management Is Becoming a Boardroom Priority Popular Resources Detect AI-Driven Threats Faster With Full Network Visibility [Demo] Discover SaaS Risks and Monitor Every App in Your Environment [Guide] Learn How to Govern AI Agents With Proven Market Guidance SANS SEC401: Get Hands On Skills to Detect and Respond to Cyber Threats

Indicators of Compromise

• malware — WAVESHAPER.V2

Entities