The OpenSourceMalware Show #5
2026-05-21 • Open Source Malware •
https://opensourcemalware.com/blog/opensourcemalware-show-episode05
OpenSourceMalware discussed three malicious npm packages tied to the actor behind the March Axios compromise, saying they had quietly harvested developer credentials since early April. The DPRK-linked activity was framed as supporting parallel Contagious Interview and TaskJacker campaigns, with GitHub repositories observed calling out to the packages and payload mechanisms similar to prior Axios-linked activity. The episode also covered npm staged publishing limitations and separate TeamPCP supply-chain incidents, but the DPRK-relevant finding centers on credential-theft packages used to sustain broader Lazarus-linked campaign infrastructure.