Deep Dive into Active Github Network Running Contagious Interview
Contents
I am sharing a comprehensive threat intelligence report documenting an active #DPRK
(North Korean) state-sponsored operation that is targeting cryptocurrency developers and blockchain companies. This is the product of an independent investigation that has been ongoing since mid-2025 and has identified extensive live infrastructure, operator accounts, and malware tooling that remain operational today.
This campaign is tracked across the security industry under multiple names: Contagious Interview (Palo Alto Unit42), DEV#POPPER (eSentire), OmniStealer (eSentire), Famous Chollima (CrowdStrike), Void Dokkaebi (Trend Micro), PolinRider (OpenSourceMalware), UNC5342 (Mandiant), Tenacious Pungsan, PurpleBravo, WaterPlum, and Slow Pisces. Our independent findings have been cross-referenced against published reports from eSentire, Securonix, Check Point Research, Socket.dev
, and the OpenSourceMalware team's recent Neutralinojs supply chain compromise disclosure. All findings converge on the same operational unit.
SCOPE OF THE CAMPAIGN:
This operation targets developers through fake job interviews, poisoned open-source repositories, and malicious npm packages. The objective is theft of cryptocurrency wallet credentials, private …
(North Korean) state-sponsored operation that is targeting cryptocurrency developers and blockchain companies. This is the product of an independent investigation that has been ongoing since mid-2025 and has identified extensive live infrastructure, operator accounts, and malware tooling that remain operational today.
This campaign is tracked across the security industry under multiple names: Contagious Interview (Palo Alto Unit42), DEV#POPPER (eSentire), OmniStealer (eSentire), Famous Chollima (CrowdStrike), Void Dokkaebi (Trend Micro), PolinRider (OpenSourceMalware), UNC5342 (Mandiant), Tenacious Pungsan, PurpleBravo, WaterPlum, and Slow Pisces. Our independent findings have been cross-referenced against published reports from eSentire, Securonix, Check Point Research, Socket.dev
, and the OpenSourceMalware team's recent Neutralinojs supply chain compromise disclosure. All findings converge on the same operational unit.
SCOPE OF THE CAMPAIGN:
This operation targets developers through fake job interviews, poisoned open-source repositories, and malicious npm packages. The objective is theft of cryptocurrency wallet credentials, private …