PyPI, npm, and Beyond: North Korean Hackers Launch Massive Stealth Attack on Open-Source Ecosystems

It started like any other day for thousands of developers worldwide - installing a new logging library, updating dependencies, or tinkering with open-source tools. Unbeknownst to many, a silent and sprawling campaign was underway: North Korean hackers, under the codename “Contagious Interview,” had infiltrated trusted software repositories with more than 1,700 poisoned packages, turning the very backbone of digital innovation into a weapon for espionage and theft.

According to security researchers at Socket, the Contagious Interview campaign represents a coordinated, cross-ecosystem supply chain assault. Instead of relying on easily-spotted installation scripts, attackers embedded their malware within the core logic of everyday functions - like the innocuous Logger::trace(i32) in Rust’s “logtrace” package - making detection nearly impossible for unsuspecting developers.

The infected packages, including names like dev-log-core (npm), logutilkit (PyPI), and logtrace (Rust), act as malware loaders. Once installed and used, they fetch platform-specific payloads capable of everything from stealing browser data and crypto wallets to logging keystrokes and executing remote commands. In one case, the Windows variant delivered via “license-utils-kit” included a full suite of post-compromise tools: running shell commands, deploying AnyDesk for remote access, uploading files, and even creating encrypted archives for data exfiltration.

This campaign is not just broad - it’s deep. The attackers’ patience is legendary: after initial compromise, the malware often sits dormant, waiting for the perfect moment to strike. Meanwhile, North Korean operatives conduct elaborate social engineering campaigns, posing as trusted contacts on LinkedIn, Slack, or via email, luring targets into fake Zoom or Microsoft Teams meetings. These “meetings” deliver further malware, expanding access across Windows, macOS, and Linux environments.

Security Alliance (SEAL) reports blocking over 160 domains linked to UNC1069, which masquerade as everything from software vendors to video conferencing apps. Microsoft threat intelligence confirms that North Korean actors are constantly evolving, shifting their infrastructure and tactics but maintaining a relentless focus on financial gain and intelligence collection.

The scale and sophistication of Contagious Interview signal a new era in software supply chain attacks. Open-source ecosystems, long celebrated for their transparency and collaboration, have become battlegrounds - where a single compromised account or overlooked library update can open the door to global cyber-espionage.

As the dust settles, one thing is clear: the trust developers place in open-source code is now a primary target for nation-state hackers. The future of software security may well depend on how quickly the community can adapt - and how vigilant we remain against threats hiding in plain sight.

WIKICROOK

• Supply Chain Attack: A supply chain attack is a cyberattack that compromises trusted software or hardware providers, spreading malware or vulnerabilities to many organizations at once.
• Remote Access Trojan (RAT): A Remote Access Trojan (RAT) is malware that lets attackers secretly control a victim’s computer from anywhere, enabling theft and spying.
• Infostealer: An infostealer is malware designed to steal sensitive data - like passwords, credit cards, or documents - from infected computers without the user's knowledge.
• Social Engineering: Social engineering is the use of deception by hackers to trick people into revealing confidential information or providing unauthorized system access.
• Loader: A loader is malicious software that installs or runs other malware on an infected system, enabling further cyberattacks or unauthorized access.