The North Korea-linked persistent campaign known as Contagious Interview has spread its tentacles by publishing malicious packages targeting the Go, Rust, and PHP ecosystems.
“The threat actor’s packages were designed to impersonate legitimate developer tooling […], while quietly functioning as malware loaders, extending Contagious Interview’s established playbook into a coordinated cross-ecosystem supply chain operation,” Socket security researcher Kirill Boychenko said in a Tuesday report.
The complete list of identified packages is as follows –
- npm: dev-log-core, logger-base, logkitx, pino-debugger, debug-fmt, debug-glitz
- PyPI: logutilkit, apachelicense, fluxhttp, license-utils-kit
- Go: github[.]com/golangorg/formstash, github[.]com/aokisasakidev/mit-license-pkg
- Rust: logtrace
- Packagist: golangorg/logkit
These loaders are designed to fetch platform-specific second-stage payloads, which turn out to be a piece of malware with infostealer and remote access trojan (RAT) capabilities. It’s primarily focused on gathering data from web browsers, password managers, and cryptocurrency wallets.
However, a Windows version of the malware delivered via “license-utils-kit” incorporates what’s described by Socket as a “full post-compromise implant” that’s equipped to run shell commands, log keystrokes, steal browser data, upload files, terminate web browsers, deploy AnyDesk for remote access, create an encrypted archive, and download additional modules.
“That makes this cluster notable not just for its cross-ecosystem reach, but for the depth of post-compromise functionality embedded in at least part of the campaign,” Boychenko added.
What makes the latest set of libraries noteworthy is that the malicious code is not triggered during installation.Rather, it’s embedded into seemingly legitimate functions that align with the package’s advertised purpose. For instance, in the case of “logtrace,” the code is concealed within “Logger::trace(i32),” a method that’s unlikely to raise a developer’s suspicion.
The expansion of Contagious Interview across five open-source ecosystems is a further sign that the campaign is a well-resourced and persistent supply chain threat engineered to systematically infiltrate these platforms as initial access pathways to breach developer environments for espionage and financial gain.
In all, Socket said it has identified more than 1,700 malicious packages linked to the activity since the start of January 2025.
The discovery is part of a broader software supply chain compromise campaign undertaken by North Korean hacking groups. This includes the poisoning of the popular Axios npm package to distribute an implant called WAVESHAPER.V2 after taking control of the package maintainer’s npm account via a tailored social engineering campaign.
The attack has been attributed to a financially motivated threat actor known as UNC1069, which overlaps with BlueNoroff, Sapphire Sleet, and Stardust Chollima….
Source link
Disclaimer
We strive to uphold the highest ethical standards in all of our reporting and coverage. We blogs.grocliq.com want to be transparent with our readers about any potential conflicts of interest that may arise in our work. It’s possible that some of the investors we feature may have connections to other businesses, including competitors or companies we write about. However, we want to assure our readers that this will not have any impact on the integrity or impartiality of our reporting. We are committed to delivering accurate, unbiased news and information to our audience, and we will continue to uphold our ethics and principles in all of our work. Thank you for your trust and support.
Website Upgradation is going on for any glitch kindly connect at [email protected]
