North Korean 'Contagious Interview' Campaign Floods npm Registry with Malicious Packages Targeting Crypto Developers
North Korean state-sponsored threat actors have significantly escalated their 'Contagious Interview' campaign by flooding the npm registry with over 338 malicious packages designed to steal cryptocurrency and sensitive credentials. The operation leverages a repeatable playbook, with threat actors creating more than 180 fake personas and using new npm aliases and registration emails to distribute the malware. These malicious packages have collectively been downloaded over 50,000 times, indicating a substantial reach and potential impact on the developer community. The attackers primarily target Web3, cryptocurrency, and blockchain developers, as well as technical job seekers, often approaching them on LinkedIn under the guise of recruiters or hiring managers. The campaign follows a multi-stage attack chain, beginning with reconnaissance on social media, followed by weaponization through the publication of typosquatted npm packages. Delivery occurs via recruiter lures, leading to exploitation through malware loaders that execute in memory. The malware tooling has evolved, with initial stages using direct BeaverTail droppers, and more recent waves employing HexEval, XORIndex, and encrypted loaders that reconstruct BeaverTail in memory. Once executed, these loaders typically fetch the InvisibleFerret backdoor, which establishes persistence and enables further malicious actions. The attackers use over a dozen command and control endpoints to manage the compromised systems. The campaign is iterative, with new malicious packages appearing weekly and loader code being regularly tweaked to evade detection. The npm security team has been notified, and takedown requests have been submitted, but as of the latest reports, 25 malicious packages remain live on the registry. The operation has resulted in multi-stage compromises, including the theft of wallet keys and sensitive credentials, leading to financial losses for victims. The attackers' use of social engineering, technical obfuscation, and rapid distribution across new aliases demonstrates a high level of sophistication and adaptability. The campaign has been mapped to the Lockheed Martin Cyber Kill Chain, illustrating its comprehensive approach from reconnaissance to actions on objectives. Security researchers emphasize the need for heightened vigilance among developers, especially those in the cryptocurrency and blockchain sectors, and recommend immediate review of npm dependencies and enhanced monitoring for suspicious package activity. The ongoing nature of the campaign and the attackers' ability to quickly adapt their tactics pose a persistent threat to the software supply chain. Organizations are urged to implement robust security controls, educate staff about social engineering risks, and coordinate with npm and security vendors to mitigate exposure. The incident highlights the growing risk of supply chain attacks via open-source ecosystems and the need for industry-wide collaboration to address such threats.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
3 events from the most recent confirmed update back to the earliest known activity.
Contagious Interview expands with new malicious packages across five ecosystems
More than a dozen new malicious software packages linked to North Korea's Contagious Interview campaign were published across npm, PyPI, Go Modules, crates.io, and Packagist. Reporting said the campaign had used more than 1,700 illicit packages since emerging in January 2025, underscoring an expanding software supply chain threat.
Researchers identify 338 malicious npm packages tied to Contagious Interview
Socket reported that North Korea's Contagious Interview campaign had escalated through 338 malicious npm packages on the npm registry. The packages were linked to cryptocurrency theft activity and had accumulated roughly 50,000 downloads.
Researchers detail Contagious Interview's Python post-infection payloads
Analysis published on North Korean activity delivered via malicious npm packages described a multi-stage Python malware chain used after initial infection. The report documented browser credential and payment-data theft, host triage, keylogging, file collection, command execution, and optional AnyDesk deployment for remote access.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
5 references tracked. Mallory keeps watching after this page renders.
North Korea’s Contagious Interview Campaign Spreads Across 5 Ecosystems, Delivering Staged RAT Payloads - Infosec.Pub
infosec.pub
Open sourceIranian cyberattacks to continue amid ceasefire | brief | SC Media
scworld.com
Open sourceNorth Korean APT “Contagious Interview” Floods npm Registry with 338 Malicious Packages to Steal Crypto
securityonline.info
Open sourceNorth Korea’s Contagious Interview Campaign Escalates: 338 Malicious npm Packages, 50,000 Downloads
socket.dev
Open sourceNorth Korea’s Post-Infection Python Payloads - One Night in Norfolk
norfolkinfosec.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
North Korean 'Contagious Interview' Campaign Expands with Malicious npm Packages and OtterCookie Malware
North Korea-linked threat actors have significantly expanded the 'Contagious Interview' campaign, targeting software developers in the crypto and Web3 sectors by uploading 197 new malicious npm packages designed to distribute an updated version of the OtterCookie infostealer. These actors, posing as recruiters on platforms like LinkedIn, use sophisticated social engineering tactics such as fake job interviews and trojanized demo projects to lure victims on Windows, Linux, and macOS. The campaign leverages a full delivery infrastructure, including a threat actor–controlled GitHub account and Vercel-hosted staging sites, to store and deliver malware, with command and control servers used for data theft and remote tasking. The campaign's payloads include the BeaverTail and OtterCookie infostealers and the InvisibleFerret RAT, and the malicious npm packages have been downloaded over 31,000 times, highlighting the scale and persistence of the operation. Technical analysis reveals that the attackers have built a robust malware delivery system, using their GitHub account to host repositories and fetch the latest payloads from Vercel, while maintaining separate C2 infrastructure for exfiltration and tasking. At least five npm packages, including 'tailwind-magic' and its variants, have been directly linked to this campaign. The operation demonstrates the increasing sophistication of North Korean supply chain attacks, with a focus on compromising developers in high-value sectors through open-source ecosystems. Security researchers continue to monitor the evolving tactics and infrastructure associated with this campaign, warning organizations and developers to exercise heightened vigilance when interacting with unsolicited job offers and npm packages.
Apr 9, 2026
North Korean Fake Job Campaigns Targeting Developers via npm and Recruiting Platforms
North Korean state-sponsored threat actors have intensified their cyber-espionage operations by targeting job seekers in the AI, cryptocurrency, and Web3 development sectors. Security researchers have uncovered a sophisticated campaign in which operatives create fake job platforms that closely mimic legitimate recruiting services, such as Lever, to lure candidates into running malicious software under the guise of interview processes or test assignments. This approach exploits the trust and secrecy inherent in job searches, making victims less likely to report suspicious activity, and is believed to be a significant source of funding for North Korea's weapons programs. In parallel, the "Contagious Interview" operation has been systematically infiltrating the npm ecosystem, with at least 197 malicious packages and over 31,000 downloads targeting blockchain and JavaScript developers. The campaign leverages a complex infrastructure involving GitHub repositories, Vercel-hosted payloads, and command-and-control servers to deliver malware through seemingly innocuous npm packages. These operations demonstrate North Korea's adaptive and persistent threat capabilities, using modern software development workflows and social engineering to gain long-term access to sensitive systems in the tech industry.
Mar 21, 2026
North Korean Contagious Interview Campaign Targets Developers With Fake Recruiting Lures
Reporting describes **North Korea–linked “Contagious Interview” activity** in which attackers pose as recruiters and use fake job processes to compromise software developers. The operation uses deceptive LinkedIn personas and malicious “coding test” repositories to deliver malware (including **BeaverTail** and follow-on multi-platform backdoors/RATs), creating downstream **supply-chain risk** when victims run the code on corporate devices with privileged access. Separately, a real-world example of the same broader tactic was highlighted when an AI security firm’s CEO reported a **deepfake job applicant** and other red flags during a hiring process, reinforcing that adversaries are operationalizing identity fraud and synthetic media to increase the success rate of developer-focused intrusion attempts. The developer ecosystem continues to be a high-value target for initial access and credential theft, as shown by a separate incident in which a **malicious Open VSX extension** masquerading as an Angular language tool reached thousands of downloads and was reported to steal **GitHub/NPM credentials**, browser tokens, and crypto-wallet data while using resilient C2 techniques. In parallel, a high-severity CI/CD weakness was disclosed in the *Eclipse Theia* website repository (**CVE-2026-1699**), where a `pull_request_target` GitHub Actions workflow could allow untrusted PR code execution with access to repository secrets and broad `GITHUB_TOKEN` permissions—conditions that could enable package publishing, website tampering, or code pushes if exploited. Together, the activity underscores elevated risk around **developer hiring workflows, developer tooling marketplaces, and CI pipelines** as converging attack surfaces for credential theft and supply-chain compromise.
Mar 21, 2026