CRITICAL: North Korea's Contagious Interview Campaign Hits 1,700 Packages Across Five Ecosystems

If you thought keeping track of dependencies was already a nightmare, North Korea just made it significantly worse. The Contagious Interview campaign, a persistent operation attributed to DPRK-linked threat actors, has quietly infected over 1,700 malicious packages across npm, PyPI, Go, Rust, and PHP's Packagist ecosystem since January 2025. That is not a typo. Five separate ecosystems, all compromised in a coordinated supply chain attack designed to infiltrate developer environments worldwide.

Socket security researcher Kirill Boychenko dropped the findings in a report that reads like a supply chain horror story. The packages were crafted to impersonate legitimate developer tooling, names that would blend right into your dependency tree without raising eyebrows. On npm, you have got dev-log-core, logger-base, logkitx, pino-debugger, debug-fmt, and debug-glitz. PyPI saw logutilkit, apachelicense, fluxhttp, and license-utils-kit. The Go ecosystem got hit with packages under github.com/golangorg/formstash and github.com/aokisasakidev/mit-license-pkg. Rust received logtrace. Even Packagist was not spared, with golangorg/logkit making an appearance.

What makes these packages particularly insidious is their patience. Unlike sloppy malware that trips alarms during installation, these loaders hide their true purpose inside seemingly legitimate functions. Take the Rust package logtrace as an example. The malicious code sits inside Logger::trace(i32), a method that looks exactly like what you would expect from a logging utility. No red flags during install. No suspicious postinstall scripts. Just clean code that happens to phone home when you actually use it.

Once activated, these loaders fetch platform-specific second-stage payloads that bring the real pain. The delivered malware functions as both an infostealer and a remote access trojan, targeting web browsers, password managers, and cryptocurrency wallets. But the Windows variant delivered through license-utils-kit takes things to another level entirely. Socket describes it as a full post-compromise implant capable of running shell commands, logging keystrokes, stealing browser data, uploading files, terminating web browsers to force re-authentication, deploying AnyDesk for persistent remote access, creating encrypted archives, and downloading additional modules. It is essentially a Swiss Army knife for digital espionage and financial theft.

The campaign represents a significant evolution in how North Korean threat actors approach software supply chain compromise. Rather than focusing on a single ecosystem, Contagious Interview has built infrastructure to systematically infiltrate multiple platforms simultaneously. This cross-ecosystem approach dramatically increases the odds of catching developers off guard. A security-conscious team might audit their npm dependencies religiously while overlooking their Go modules or Rust crates.

This discovery does not exist in isolation. It is part of a broader pattern of DPRK-linked groups treating the open source ecosystem like their personal hunting ground. The same actors recently poisoned the popular Axios npm package after socially engineering the maintainer and taking control of their account. That attack deployed an implant called WAVESHAPER.V2 and has been attributed to UNC1069, a financially motivated group that overlaps with the notorious BlueNoroff and Sapphire Sleet clusters.

The social engineering tactics deserve attention on their own. UNC1069 runs multi-week, low-pressure campaigns across Telegram, LinkedIn, and Slack. They either impersonate known contacts and credible brands or leverage access to previously compromised accounts to build trust. The endgame is always the same: get the target onto a fake Zoom or Microsoft Teams call. These fraudulent meeting links serve ClickFix-style lures that trick victims into executing malware. Security Alliance blocked 164 UNC1069-linked domains impersonating Microsoft Teams and Zoom between February 6 and April 7, 2026.

What is particularly clever, and frustrating from a defender's perspective, is the patience these operators demonstrate after initial access. They do not immediately start exfiltrating data or deploying ransomware. The implant sits dormant while the victim reschedules the failed call and goes about their business, completely unaware their machine is compromised. This patience extends the operational window and maximizes value extraction before incident response gets triggered.

Microsoft's Sherrod DeGrippo, general manager for threat intelligence, summed it up well when speaking to The Hacker News. The consistent pattern is ongoing evolution in how DPRK-linked financially motivated actors operate. The tooling changes. The infrastructure shifts. But the behavior and intent remain crystal clear.

For development teams, the implications are stark. Dependency auditing can no longer be a check-the-box exercise focused on a single package manager. Organizations need visibility across their entire software supply chain, including every ecosystem their developers touch. Tools like Socket, Snyk, and Dependabot help, but they are only as good as the policies enforcing their use. If your Go developers or Rust enthusiasts are pulling packages outside your standard review process, you have got blind spots that threat actors like those behind Contagious Interview are specifically designed to exploit.

The 1,700 packages identified represent what researchers have found so far. The actual number could be higher. These are not automated mass-upload attacks leaving obvious traces. They are carefully crafted packages with legitimate-looking code, maintained accounts, and names designed to look like natural additions to any project. The supply chain attack surface just got a whole lot bigger, and North Korea is playing the long game.