THE North Korea-linked campaign known as Contagious Interview has expanded across five open-source ecosystems, publishing 1,700 malicious packages designed to impersonate legitimate developer tooling and act as malware loaders. These packages target npm, PyPI, Go, Rust, and Packagist, with loaders that fetch platform-specific second-stage payloads and deliver a malware stack that includes infostealer and remote access trojan capabilities.
The campaign’s growth is highlighted by Socket security researcher Kirill Boychenko, who described it as a coordinated cross-ecosystem supply chain operation. A Windows variant delivered via the license-utils-kit is described as a full post-compromise implant capable of running shell commands, logging keystrokes, stealing browser data, uploading files, and enabling remote access through AnyDesk, among other functions.
The activity, identified since January 2025, has been attributed to a threatening actor linked to UNC1069, which security researchers say operates through multi-week social engineering campaigns across Telegram, LinkedIn and Slack before delivering malicious links.