Contagious Interview gets an upgrade for 2026
Contents
Contagious Interview gets an upgrade for 2026 - A comprehensive analysis by OpenSourceMalware
A single NPM package that led us to the Lazarus Groups latest campaign targeting software engineers using fake recruiters on LinkedIn, Fiverr and UpWork.
Paul McCarty
January 20, 2026
20 min read
npm
lazarus
supply-chain
contagious-interview
dprk
malware
north-korea
threat-intelligence
Software engineers are still falling prey to fake recruiters who approach them offering high paying roles
From NPM package to North Korean Backdoor
*By: 6mile Date: January 19, 2026
Introduction: The Package That Started It All
It started with what looked like an innocuous npm package: tailwindcss-forms-kit. The name seemed legitimate enough—Tailwind CSS is a popular utility-first CSS framework, and a package offering pre-built form components would be exactly the kind of developer productivity tool that gets installed without much scrutiny. But this wasn't a helpful utility. It was the opening move in a sophisticated, multi-stage attack orchestrated by North Korean state-sponsored threat actors.
Over the course of my investigation, I would trace this malicious …
A single NPM package that led us to the Lazarus Groups latest campaign targeting software engineers using fake recruiters on LinkedIn, Fiverr and UpWork.
Paul McCarty
January 20, 2026
20 min read
npm
lazarus
supply-chain
contagious-interview
dprk
malware
north-korea
threat-intelligence
Software engineers are still falling prey to fake recruiters who approach them offering high paying roles
From NPM package to North Korean Backdoor
*By: 6mile Date: January 19, 2026
Introduction: The Package That Started It All
It started with what looked like an innocuous npm package: tailwindcss-forms-kit. The name seemed legitimate enough—Tailwind CSS is a popular utility-first CSS framework, and a package offering pre-built form components would be exactly the kind of developer productivity tool that gets installed without much scrutiny. But this wasn't a helpful utility. It was the opening move in a sophisticated, multi-stage attack orchestrated by North Korean state-sponsored threat actors.
Over the course of my investigation, I would trace this malicious …