North Korea’s Contagious Interview Campaign Spreads Across 5 Ecosystems, Delivering Staged RAT Payloads
Contents
Research
Supply Chain Attack on Axios Pulls Malicious Dependency from npm
A supply chain attack on Axios introduced a malicious dependency, [email protected], published minutes earlier and absent from the project’s GitHub releases.
Malicious packages published to npm, PyPI, Go Modules, crates.io, and Packagist impersonate developer tooling to fetch staged malware, steal credentials and wallets, and enable remote access.
April 7, 2026
8 min read
We have been tracking North Korea’s Contagious Interview operation since 2024 and maintain a dedicated campaign page that now tracks more than 1,700 malicious packages linked to the activity. In this newly identified cluster, the threat actors operated under GitHub aliases including golangorg
and published malicious packages across five open source ecosystems:
dev-log-core
, logger-base
, logkitx
logutilkit
, apachelicense
, fluxhttp
, and license-utils-kit
github[.]com/golangorg/formstash
logtrace
golangorg/logkit
The threat actor’s packages were designed to impersonate legitimate developer tooling (such as debug
, debug-logfmt
, pino-debug
, baraka
, license
, http
, libprettylogger
, and openlss/func-log
), while quietly functioning as malware loaders, extending Contagious Interview’s established playbook into a coordinated …
Supply Chain Attack on Axios Pulls Malicious Dependency from npm
A supply chain attack on Axios introduced a malicious dependency, [email protected], published minutes earlier and absent from the project’s GitHub releases.
Malicious packages published to npm, PyPI, Go Modules, crates.io, and Packagist impersonate developer tooling to fetch staged malware, steal credentials and wallets, and enable remote access.
April 7, 2026
8 min read
We have been tracking North Korea’s Contagious Interview operation since 2024 and maintain a dedicated campaign page that now tracks more than 1,700 malicious packages linked to the activity. In this newly identified cluster, the threat actors operated under GitHub aliases including golangorg
and published malicious packages across five open source ecosystems:
dev-log-core
, logger-base
, logkitx
logutilkit
, apachelicense
, fluxhttp
, and license-utils-kit
github[.]com/golangorg/formstash
logtrace
golangorg/logkit
The threat actor’s packages were designed to impersonate legitimate developer tooling (such as debug
, debug-logfmt
, pino-debug
, baraka
, license
, http
, libprettylogger
, and openlss/func-log
), while quietly functioning as malware loaders, extending Contagious Interview’s established playbook into a coordinated …
IoC
https://github.com/maxcointech1010
http://github.com/golangorg/formstash
http://logkit.onrender.com
https://github.com/maxcointech0000
https://apachelicense.vercel.app/getAddress?platform={
http://ngrok-free.vercel.app
https://github.com/golangorg
https://apachelicense.vercel.app/getAddress?platform=
http://apachelicense.vercel.app
http://drive.usercontent.google.com/download?id=<file_id
http://66.45.225.94
http://apachelicense.vercel.app/getAddress?platform=logmain&id=LOG
https://github.com/aokisasakidev
http://gmail.com
http://drive.google.com/file/d/<file_id
http://github.com/aokisasakidev/mit-license-pkg
https://apachelicense.vercel.app/getAddress?platform=<platform
http://logkit-tau.vercel.app
66.45.225.94
[email protected]
[email protected]
[email protected]
7c5adef4b5aee7a4aa6e795a86f8b7d601618c3bc003f1326ca57d03ec7d6524
bb2a89001410fa5a11dea6477d4f5573130261badc67fe952cfad1174c2f0edd
9a541dffb7fc18dc71dbc8523ec6c3a71c224ffeb518ae3a8d7d16377aebee58
http://github.com/golangorg/formstash
http://logkit.onrender.com
https://github.com/maxcointech0000
https://apachelicense.vercel.app/getAddress?platform={
http://ngrok-free.vercel.app
https://github.com/golangorg
https://apachelicense.vercel.app/getAddress?platform=
http://apachelicense.vercel.app
http://drive.usercontent.google.com/download?id=<file_id
http://66.45.225.94
http://apachelicense.vercel.app/getAddress?platform=logmain&id=LOG
https://github.com/aokisasakidev
http://gmail.com
http://drive.google.com/file/d/<file_id
http://github.com/aokisasakidev/mit-license-pkg
https://apachelicense.vercel.app/getAddress?platform=<platform
http://logkit-tau.vercel.app
66.45.225.94
[email protected]
[email protected]
[email protected]
7c5adef4b5aee7a4aa6e795a86f8b7d601618c3bc003f1326ca57d03ec7d6524
bb2a89001410fa5a11dea6477d4f5573130261badc67fe952cfad1174c2f0edd
9a541dffb7fc18dc71dbc8523ec6c3a71c224ffeb518ae3a8d7d16377aebee58