North Korean threat actors have significantly expanded the “Contagious Interview” software supply chain campaign, placing malicious packages across multiple open-source ecosystems, including Go, Rust and PHP. According to security company Socket, the objective is to compromise developer environments, gain initial access into corporate networks and enable both espionage and financially motivated operations.
North Korean supply chain campaign spreads across Go, Rust and PHP
Researchers at Socket report that attackers are publishing packages that mimic legitimate developer tools such as logging utilities, license helpers and generic support libraries. While these libraries appear to offer useful functionality, they in fact act as loaders for second-stage malware, creating a cross-ecosystem software supply chain operation.
Once installed and invoked, these loaders retrieve platform-specific modules that combine the capabilities of an infostealer and a remote access trojan (RAT). The malware is designed to exfiltrate data from web browsers, password managers and cryptocurrency wallets. Developer workstations are a particularly valuable target, as they often hold source code, credentials and access tokens that can be leveraged to move deeper into an organization’s infrastructure.
A Windows-focused variant, distributed via a package named “license-utils-kit”, stands out as a full-featured post-exploitation implant. Socket describes functionality that includes shell command execution, keylogging, browser data theft, file upload and download, forced termination of browser processes, deployment of the AnyDesk remote access tool, creation of encrypted archives and loading of additional modules. This elevates the campaign well beyond a simple credential stealer and into the realm of long-term, interactive access tooling.
Hidden malware logic inside normal-looking library functions
One of the most concerning aspects of Contagious Interview is the way the malicious code is triggered. The payload is not executed at package installation time, which is a common red flag in traditional supply chain attacks. Instead, the logic is embedded inside functions that appear to serve the documented purpose of the library.
In the case of the Rust package “logtrace”, the malicious segment is concealed inside the method Logger::trace(i32). Calling a trace-level logging function is perfectly natural within production code and continuous integration (CI) pipelines, making this behavior extremely difficult for developers to spot. This approach also complicates static and automated analysis, increasing the likelihood that the malware will run silently in real-world applications and CI/CD workflows without exhibiting obvious suspicious behavior during installation.
Part of a broader DPRK software supply chain operation
Socket links the expansion of Contagious Interview to a broader North Korean software supply chain campaign. The same activity cluster is associated with the compromise of the popular npm package Axios, where attackers propagated the WAVESHAPER.V2 implant after taking over the maintainer’s account via targeted social engineering.
This activity is attributed to the financially motivated actor UNC1069, which overlaps with North Korean clusters commonly tracked as BlueNoroff, Sapphire Sleet and Stardust Chollima. These groups blend cyber espionage with cybercrime, focusing on stealing funds and obtaining access to financial and technology organizations. Their tactics mirror other high-impact supply chain incidents seen in recent years, including the SolarWinds compromise and the attempted xz backdoor in 2024, underscoring how attractive the software supply chain has become as an initial access vector.
Social engineering via Zoom, Microsoft Teams and messaging platforms
Data from Security Alliance (SEAL) indicates that between 6 February and 7 April 2026, defenders blocked 164 domains linked to UNC1069 that impersonated major video conferencing services such as Microsoft Teams and Zoom. Threat actors conduct multi-week, low-noise social engineering campaigns over Telegram, LinkedIn and Slack, often posing as legitimate contacts, well-known brands or using previously compromised accounts.
The final step is typically a fraudulent Zoom or Teams meeting link that leads to a lure page resembling known techniques such as ClickFix, prompting the user to perform actions that ultimately execute malware. The deployed implant then connects to attacker-controlled infrastructure and enables post-exploitation activity across Windows, macOS and Linux systems.
SEAL observes that operators frequently leave implants dormant after initial access. Victims may assume the meeting simply failed and reschedule, continuing normal work while the malware remains undetected. This delayed activation extends dwell time inside the environment and maximizes the volume of data that can be collected before incident response begins.
Impact on software supply chain security and development teams
Socket reports that since January 2025, it has identified more than 1,700 malicious packages associated with this campaign. The scale and cross-ecosystem nature of the operation highlight a persistent, well-resourced threat to the open-source ecosystem and to software supply chains globally.
Microsoft threat intelligence confirms the ongoing evolution of tools and infrastructure used by DPRK-linked financially motivated groups. According to Sherrod DeGrippo, General Manager for Threat Intelligence at Microsoft, these actors continuously adapt their tactics and infrastructure while maintaining consistent objectives and behavioral patterns, including the use of domains masquerading as U.S. financial institutions and conferencing services to support social engineering operations.
Practical measures to strengthen software supply chain defenses
To reduce exposure to campaigns like Contagious Interview, organizations and development teams should consider:
– Using internal mirrors and private repositories with a strict allow-list of trusted packages, and tightly controlling the introduction of new dependencies.
– Pinning dependency versions and hashes in lock files and build manifests to prevent silent upgrades to malicious versions.
– Deploying software composition analysis (SCA) and behavioral analysis tools that evaluate library behavior, not just licenses and CVEs.
– Isolating CI/CD pipelines and developer workstations, enforcing least privilege, and ensuring robust EDR/antivirus coverage on these high-value systems.
– Enabling multi-factor authentication (MFA) on npm, GitHub and other ecosystem accounts to make account takeover of maintainers more difficult.
– Training staff to recognize social engineering around Zoom/Teams invitations, manually verify domains, and avoid launching “fixes” or “updates” from untrusted or unsolicited sources.
The expansion of the Contagious Interview campaign demonstrates that software supply chain attacks are now a core instrument for state-linked and financially motivated groups. Organizations that proactively harden dependency management, secure developer environments and invest in user awareness will be better positioned to prevent everyday libraries and routine video calls from becoming the starting point for serious intrusions.
