{"id":533,"date":"2026-04-08T09:07:51","date_gmt":"2026-04-08T09:07:51","guid":{"rendered":"https:\/\/thedigitalfortress.us\/?p=533"},"modified":"2026-04-08T09:07:51","modified_gmt":"2026-04-08T09:07:51","slug":"n-korean-hackers-spread-1700-malicious-packages-across-npm-pypi-go-rust","status":"publish","type":"post","link":"https:\/\/thedigitalfortress.us\/?p=533","title":{"rendered":"N. Korean Hackers Spread 1,700 Malicious Packages Across npm, PyPI, Go, Rust"},"content":{"rendered":"<div id=\"articlebody\">\n<div class=\"separator\" style=\"clear: both;\"><a href=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEgiJCapdeJ9Q-yAbFZ7EG69FNg_jPvK7YptY2C7TN6txlcPM_bvVrcbqN1bi-vy2IFi8Ai485K-DZblHR8XwZxdch90kWSv48wjvZF7oj0wy0IMd-B7VPuSiUbSFSJKAlErnSUZWjyVOf-Fyy-LqlxLbGLA7rxIkxlgc6_WRyCNH3XWDLb5GtnmjvxFjUrt\/s1700-e365\/pack.jpg\" style=\"display: block;  text-align: center; clear: left; float: left;\"><\/a><\/div>\n<p>The North Korea-linked persistent campaign known\u00a0as <strong>Contagious\u00a0Interview<\/strong> has spread its tentacles by publishing malicious packages targeting the Go, Rust, and PHP ecosystems.<\/p>\n<p>\u00abThe threat actor&#8217;s packages were designed to impersonate legitimate developer tooling [&#8230;], while quietly functioning as malware loaders, extending Contagious Interview\u2019s established playbook into a coordinated cross-ecosystem supply chain operation,\u00bb Socket security researcher Kirill\u00a0Boychenko <a href=\"https:\/\/socket.dev\/blog\/contagious-interview-campaign-spreads-across-5-ecosystems\">said<\/a> in a Tuesday\u00a0report.<\/p>\n<p>The complete list of identified packages is as follows\u00a0&#8211;<\/p>\n<ul>\n<li>npm: dev-log-core, logger-base, logkitx, pino-debugger, debug-fmt, debug-glitz<\/li>\n<li>PyPI: logutilkit, apachelicense, fluxhttp, license-utils-kit<\/li>\n<li>Go: github[.]com\/golangorg\/formstash, github[.]com\/aokisasakidev\/mit-license-pkg<\/li>\n<li>Rust: logtrace<\/li>\n<li>Packagist: golangorg\/logkit<\/li>\n<\/ul>\n<div class=\"dog_two clear\">\n<div class=\"cf\"><a href=\"https:\/\/thehackernews.uk\/vpn-risk-report-inside-d\" rel=\"nofollow noopener sponsored\" target=\"_blank\"><img loading=\"lazy\" decoding=\"async\" class=\"lazyload\" alt=\"Cybersecurity\" src=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEgWajeG0cdaapf1GKTZRUZUB7BzuYGegyw5k0eAorJXlmkFdYCCeLXXhXYJuXU9lWD33rV6rRnIyly3czoNfYifpxk1eGA5slItPmim3HkubXoQMgC4J7hdQPywxGbWq7Eqeff_o6s2Fq-WmSFd5guwdLn7IqpveMqULqtVnd-ndnljWYGj45EkMFB7m0qm\/s728-e100\/z-d.jpg\" width=\"729\" height=\"91\"\/><\/a><\/div>\n<\/div>\n<p>These loaders are designed to fetch platform-specific second-stage payloads, which turn out to be a piece of malware with infostealer and remote access trojan (RAT) capabilities. It&#8217;s primarily focused on gathering data from web browsers, password managers, and cryptocurrency\u00a0wallets.<\/p>\n<p><a name=\"more\"\/><\/p>\n<p>However, a Windows version of the malware delivered via \u00ablicense-utils-kit\u00bb incorporates what&#8217;s described by Socket as a \u00abfull post-compromise implant\u00bb that&#8217;s equipped to run shell commands, log keystrokes, steal browser data, upload files, terminate web browsers, deploy AnyDesk for remote access, create an encrypted archive, and download additional\u00a0modules.<\/p>\n<p>\u00abThat makes this cluster notable not just for its cross-ecosystem reach, but for the depth of post-compromise functionality embedded in at least part of the campaign,\u00bb Boychenko\u00a0added.<\/p>\n<p>What\u00a0makes the latest set of libraries noteworthy is that the malicious\u00a0code is not\u00a0triggered\u00a0during installation.Rather, it&#8217;s\u00a0embedded into seemingly legitimate functions that align with the package&#8217;s advertised purpose. For\u00a0instance, in the case of \u00ablogtrace,\u00bb the code is concealed within \u00abLogger::trace(i32),\u00bb a method that&#8217;s unlikely to raise a developer&#8217;s suspicion.<\/p>\n<p>The\u00a0expansion of Contagious Interview across five open-source ecosystems is a further sign that the campaign is a well-resourced and persistent supply chain threat engineered to systematically infiltrate these platforms as initial access pathways to breach developer environments for espionage and financial\u00a0gain.<\/p>\n<p>In\u00a0all,\u00a0Socket said\u00a0it has identified <a href=\"https:\/\/socket.dev\/supply-chain-attacks\/north-korea-s-contagious-interview-campaign\">more than 1,700 malicious\u00a0packages<\/a> linked to the activity since the start of January\u00a02025.<\/p>\n<p>The\u00a0discovery is part of a broader software supply chain compromise campaign undertaken by North Korean hacking\u00a0groups. This\u00a0includes\u00a0the poisoning of the popular Axios npm package to distribute an implant called WAVESHAPER.V2\u00a0after taking control of the package maintainer&#8217;s npm account via a tailored social engineering\u00a0campaign.<\/p>\n<p>The\u00a0attack\u00a0has been attributed to a financially motivated threat actor known as UNC1069, which overlaps with BlueNoroff, Sapphire Sleet, and Stardust\u00a0Chollima. Security Alliance (SEAL), in a report published\u00a0today, said it blocked 164 UNC1069-linked domains impersonating\u00a0services like Microsoft Teams and Zoom between February 6 and April 7,\u00a02026.<\/p>\n<p>\u00abUNC1069 operates multi-week, low-pressure social engineering campaigns across Telegram, LinkedIn, and Slack \u2013 either impersonating known contacts or credible brands or by leveraging access to previously compromised company and individual accounts \u2013 before delivering a fraudulent Zoom or Microsoft Teams meeting link,\u00bb\u00a0SEAL <a href=\"https:\/\/radar.securityalliance.org\/advisory-on-dprk-unc1069-fake-microsoft-teams-and-zoom-calls\/\">said<\/a>.<\/p>\n<div class=\"dog_two clear\">\n<div class=\"cf\"><a href=\"https:\/\/thehackernews.uk\/fast-response-not-fast-d\" rel=\"nofollow noopener sponsored\" target=\"_blank\"><img loading=\"lazy\" decoding=\"async\" class=\"lazyload\" alt=\"Cybersecurity\" src=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEjgi9mu68zRUz1nCLLKmkAA2aBtNfP_JOTXulZoB6yImso1Onk7oM_LI0kdROu8fq5S5oDyMtd1j50W44Ye_8Sl3zQZiE8A9tmFr6kejGKjGh74uoxluF-RyBq_unDQlzjXZHCqQeuYXBoogda5zf0w-zXd6v0rIM7fEw6TcFf_QGWBu5Mop-djkEaOUa5A\/s728-e100\/tl-d.jpg\" width=\"729\" height=\"91\"\/><\/a><\/div>\n<\/div>\n<p>These\u00a0fake meeting\u00a0links are\u00a0used to serve ClickFix-like lures, resulting in the execution of malware that contacts an attacker-controlled server for data theft and targeted post-exploitation activity across Windows, macOS, and\u00a0Linux.<\/p>\n<p>\u00abOperators deliberately do not act immediately following initial access. The\u00a0implant is left dormant or passive for a period following compromise,\u00bb SEAL added. \u00abThe target typically reschedules the failed call and continues normal operations, unaware that the device is compromised. This\u00a0patience extends the operational window and maximizes the value extracted before any incident response is triggered.\u00bb<\/p>\n<p>In\u00a0a statement shared with The Hacker News, Microsoft said financially-driven North Korean threat actors are actively evolving their toolset and infrastructure, using domains masquerading as U.S.-based financial institutions and video conferencing applications for social engineering.<\/p>\n<p>\u00abWhat we are seeing consistently is ongoing evolution in how DPRK-linked, financially motivated actors operate, shifts in tooling, infrastructure, and targeting, but with clear continuity in behavior and intent,\u00bb Sherrod DeGrippo, general manager for threat intelligence at Microsoft,\u00a0said.<\/p>\n<\/div>\n","protected":false},"excerpt":{"rendered":"<p>The North Korea-linked persistent campaign known\u00a0as Contagious\u00a0Interview has spread its tentacles by publishing malicious packages targeting the Go, Rust, and PHP ecosystems. \u00abThe threat actor&#8217;s packages were designed to impersonate&hellip;<\/p>\n","protected":false},"author":1,"featured_media":534,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[338,337,33,39,35,934,574,262],"class_list":["post-533","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-uncategorized","tag-hackers","tag-korean","tag-malicious","tag-npm","tag-packages","tag-pypi","tag-rust","tag-spread"],"_links":{"self":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/posts\/533","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=533"}],"version-history":[{"count":0,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/posts\/533\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/media\/534"}],"wp:attachment":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=533"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=533"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=533"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}