The North Korea-linked persistent campaign known as **Contagious Interview** has spread its reach by publishing malicious packages targeting the Go, Rust, and PHP ecosystems. "The threat actor's packages were designed to impersonate legitimate developer tooling [...], while quietly functioning as malware loaders, extending Contagious Interview’s established playbook into a coordinated cross-ecosystem supply chain operation," **Socket** security researcher Kirill Boychenko said in a Tuesday report. ### Malicious Packages Identified The complete list of identified packages is as follows: * npm: dev-log-core, logger-base, logkitx, pino-debugger, debug-fmt, debug-glitz * PyPI: logutilkit, apachelicense, fluxhttp, license-utils-kit * Go: github[.]com/golangorg/formstash, github[.]com/aokisasakidev/mit-license-pkg * Rust: logtrace * Packagist: golangorg/logkit These loaders are designed to fetch platform-specific second-stage payloads, which are malware with infostealer and remote access trojan (RAT) capabilities. The malware primarily focuses on gathering data from web browsers, password managers, and cryptocurrency wallets. ### Advanced Post-Compromise Capabilities Notably, the Windows version of the malware delivered via "license-utils-kit" incorporates what **Socket** describes as a "full post-compromise implant." This implant can run shell commands, log keystrokes, steal browser data, upload files, terminate web browsers, deploy **AnyDesk** for remote access, create an encrypted archive, and download additional modules. "That makes this cluster notable not just for its cross-ecosystem reach, but for the depth of post-compromise functionality embedded in at least part of the campaign," Boychenko added. ### Concealed Malicious Code A key aspect of these libraries is that the malicious code is not triggered during installation. Instead, it's embedded into seemingly legitimate functions that align with the package's advertised purpose. For instance, in the case of "logtrace," the code is concealed within "Logger::trace(i32)," a method unlikely to raise suspicion. The expansion of Contagious Interview across five open-source ecosystems indicates a well-resourced and persistent supply chain threat. The campaign aims to systematically infiltrate these platforms as initial access pathways to breach developer environments for espionage and financial gain. In all, **Socket** has identified more than 1,700 malicious packages linked to the activity since the start of January 2025. ### Broader Campaign and Attribution The discovery is part of a broader software supply chain compromise campaign undertaken by North Korean hacking groups. This includes the poisoning of the popular Axios npm package to distribute an implant called WAVESHAPER.V2 after taking control of the package maintainer's npm account via a tailored social engineering campaign. The attack has been attributed to a financially motivated threat actor known as UNC1069, which overlaps with **BlueNoroff**, **Sapphire Sleet**, and **Stardust Chollima**. **Security Alliance (SEAL)**, in a report published today, said it blocked 164 UNC1069-linked domains impersonating services like **Microsoft Teams** and **Zoom** between February 6 and April 7, 2026. "UNC1069 operates multi-week, low-pressure social engineering campaigns across **Telegram**, **LinkedIn**, and **Slack** – either impersonating known contacts or credible brands or by leveraging access to previously compromised company and individual accounts – before delivering a fraudulent **Zoom** or **Microsoft Teams** meeting link," **SEAL** said. These fake meeting links are used to serve ClickFix-like lures, resulting in the execution of malware that contacts an attacker-controlled server for data theft and targeted post-exploitation activity across Windows, macOS, and Linux. "Operators deliberately do not act immediately following initial access. The implant is left dormant or passive for a period following compromise," **SEAL** added. "The target typically reschedules the failed call and continues normal operations, unaware that the device is compromised. This patience extends the operational window and maximizes the value extracted before any incident response is triggered." ### Microsoft's Statement In a statement shared with The Hacker News, **Microsoft** said financially-driven North Korean threat actors are actively evolving their toolset and infrastructure, using domains masquerading as U.S.-based financial institutions and video conferencing applications for social engineering. "What we are seeing consistently is ongoing evolution in how DPRK-linked, financially motivated actors operate, shifts in tooling, infrastructure, and targeting, but with clear continuity in behavior and intent," Sherrod DeGrippo, general manager for threat intelligence at **Microsoft**, said.