Contagious Interview: Inside the North Korean Supply Chain Operation That Breached Every Major Package Registry

Introduction

In the world of software security, supply chain attacks are considered the most dangerous class of threat — not because they are technically sophisticated, but because they exploit the one thing developers universally extend to the open-source ecosystem: trust.

On April 7, 2026, that trust was tested at an unprecedented scale. Socket, a software supply chain security firm, disclosed that a single coordinated threat actor cluster had simultaneously pushed malware loaders into npm, PyPI, Go Modules, crates.io, and Packagist — all five of the most widely used open-source package registries in the world. The campaign, attributed to North Korean state-sponsored actors and tracked under the name Contagious Interview, had been building toward this moment since at least late 2024. By the time of disclosure, Socket's tracker had recorded over 1,700 malicious packages tied to the operation.

And then, just one week before — on March 31, 2026 — came Axios.

This is the full technical breakdown of what happened, how the attackers operate, and what it means for every developer who touches open-source code.

Background: What Is Contagious Interview?

Contagious Interview is a long-running cyber operation attributed to North Korean state-sponsored threat actors, with overlapping clusters tracked by various threat intelligence firms under aliases including Lazarus Group, BlueNoroff, Sapphire Sleet, Stardust Chollima, and most recently UNC1069.

The campaign was first publicly observed gaining traction in late 2024, though researchers believe the operational groundwork was laid significantly earlier. Its defining characteristic is the combination of two attack vectors:

1. Social engineering via fake recruitment — Threat actors pose as legitimate tech recruiters on LinkedIn, Telegram, and Slack, targeting software developers and tech job seekers with fraudulent job offers.

2. Malicious open-source packages — Once a target is engaged, they are asked to complete a "coding assessment" or technical challenge that involves cloning a GitHub repository or installing an npm/PyPI package. The package contains a malware loader.

The genius of this approach — from an attacker's perspective — is that it bypasses nearly every traditional security control. The developer runs the code willingly, on their own machine, often with elevated permissions. There is no phishing email, no drive-by download, no exploit to trigger. Just a developer doing what developers do: running code.

The Social Engineering Playbook

Understanding Contagious Interview requires understanding the recruitment lure in detail, because it is remarkably well-executed.

The Initial Contact

Attackers create polished, believable recruiter personas on LinkedIn, complete with profile histories, endorsements, and connections. They reach out to developers — often mid-to-senior level engineers at companies with valuable cloud infrastructure or cryptocurrency exposure — with personalized messages referencing the target's actual skill set and experience.

The Security Alliance (SEAL) tracked 164 UNC1069-linked domains between February 6 and April 7, 2026 alone, all impersonating services like Microsoft Teams and Zoom. These domains are used to deliver fraudulent meeting links — the developer thinks they're jumping on an interview call, but the link installs a dropper instead.

The Coding Assessment

For targets who don't click the meeting link directly, the fallback is a technical assessment. The recruiter shares a GitHub repository or instructs the candidate to install a package from npm or PyPI. The repository looks legitimate — it has a README, a plausible project structure, and code that appears to perform some real function (a logging utility, a licensing helper, a crypto toolkit).

But buried inside is a staged loader.

Why Developers Are the Perfect Target

Developer machines are, by design, among the most privileged environments in any organization:

• They have access to cloud provider credentials (AWS, GCP, Azure) stored in environment variables or config files

• They hold SSH keys for production servers

• They store API tokens, GitHub tokens, and service account credentials

• They frequently have direct kubectl access to Kubernetes clusters

• They often have exceptions carved out of endpoint security policies to allow faster local compilation

A single compromised developer laptop can serve as a pivot point into an entire enterprise cloud environment. This is precisely why Contagious Interview targets developers rather than executives or end users.

Technical Anatomy of the Attack

Stage 1: The Loader Package

The initial malicious packages are deliberately minimal. This is intentional — it makes them harder to detect via static analysis. The package installs cleanly, passes a cursory review, and may even perform some legitimate function.

Socket identified the following confirmed malicious packages in the April 2026 cluster:

npm:

• dev-log-core

• logger-base

• logkitx

• pino-debugger

• debug-fmt

• debug-glitz

PyPI:

• logutilkit

• apachelicense

• fluxhttp

• license-utils-kit

Go Modules:

• github.com/golangorg/formstash

• github.com/aokisasakidev/mit-license-pkg

Rust (crates.io):

• logtrace

Packagist (PHP):

• Additional packages under the golangorg and aokisasakidev personas

The naming convention is deliberate. Packages like pino-debugger, logutilkit, and fluxhttp sound exactly like the kind of utility library a developer would casually pull in without vetting. They blend into a dependency tree.

Stage 2: The Postinstall Hook

Many of the npm packages abuse the postinstall hook in package.json — a standard npm feature that executes a script automatically after installation. This means the malicious code runs the moment a developer types npm install, before they've had any chance to review what's actually executing.

json

"scripts": {
  "postinstall": "node setup.js"
}

The setup.js (or equivalent entry point) is typically obfuscated — using base64 encoding, XOR operations, or string concatenation to disguise the actual payload. Socket has documented multiple loader families across the campaign's history, including HexEval, XORIndex, and others.

Stage 3: The C2 Beacon and Second-Stage Payload

The loader's primary job is to contact an attacker-controlled Command and Control (C2) server and download the actual malware. This two-stage approach means:

• Static analysis tools see very little code to scan

• The payload changes between operations, making signatures less effective

• The loader can be updated to fetch different second-stage malware as needed

The C2 infrastructure typically uses a mix of raw IP addresses and legitimate platform hosting (to blend into normal traffic). Communication patterns use HTTP/HTTPS with occasional WebSocket usage. URL patterns frequently include paths like /upload, /download, and /client.

Stage 4: The RAT and Infostealer Payload

The second-stage payload delivers a combination of Remote Access Trojan (RAT) and infostealer capabilities. The primary malware families observed in Contagious Interview include:

BeaverTail — A cross-platform infostealer and downloader written in JavaScript/Node.js. It targets browser credential stores, cryptocurrency wallets, and developer environment files.

OtterCookie — A modular RAT that provides persistent remote access, file exfiltration, and screenshot capabilities.

InvisibleFerret — A Python-based backdoor with keylogging and clipboard monitoring capabilities, with particular focus on cryptocurrency-related content.

Once deployed, these payloads immediately begin harvesting:

• Environment variables (including AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, cloud provider tokens)

• Kubernetes configuration files (~/.kube/config)

• SSH private keys (~/.ssh/)

• Browser-stored credentials and cookies

• Cryptocurrency wallet files and seed phrases

• .env files across the filesystem

• IDE-stored secrets and API tokens

The harvested data is exfiltrated to attacker infrastructure, typically within minutes of initial execution. By the time any behavioral monitoring might flag the activity, the credentials are already in North Korean hands.

The Axios Incident: A Watershed Moment

If the April 7 cross-ecosystem disclosure was alarming, the Axios compromise — discovered on March 31, 2026 — was a watershed moment for open-source security.

What Is Axios?

Axios is the most popular JavaScript HTTP client library in existence. It simplifies making HTTP requests from Node.js and browsers, and is a foundational dependency for millions of applications worldwide. The two affected versions — 1.14.1 and 0.30.4 — typically see over 100 million and 83 million weekly downloads respectively.

To put that in perspective: compromising Axios is roughly equivalent to poisoning a municipal water supply. Every downstream application that pulls the package is exposed.

How the Attack Worked

Google's Threat Intelligence Group (GTIG) documented the attack timeline with remarkable precision:

• March 31, 2026, 00:21 UTC: A malicious dependency named plain-crypto-js version 4.2.1 was introduced into axios npm releases 1.14.1 and 0.30.4.

• March 31, 2026, 03:20 UTC: The window closed — approximately 3 hours of exposure.

The attack vector was account compromise. The maintainer's npm account was hijacked, with the associated email address changed to an attacker-controlled address (ifstap@proton.me). From there, the attacker published a new version of axios with plain-crypto-js injected as a dependency.

The plain-crypto-js package used a postinstall hook to execute an obfuscated JavaScript dropper named setup.js:

SHA256: e10b1fa84f1d6481625f741b69892780140d4e0e7769e7491e5f4d894c2e0e09

This dropper — internally named SILKBELL — checked the host operating system and delivered platform-specific payloads, ultimately deploying WAVESHAPER.V2, an updated version of the WAVESHAPER backdoor previously attributed to UNC1069.

WAVESHAPER.V2 is a cross-platform backdoor that provides persistent remote access to the compromised system. GTIG's attribution to UNC1069 (which overlaps with BlueNoroff and Stardust Chollima) was based on the use of WAVESHAPER.V2 specifically, combined with infrastructure overlaps from prior UNC1069 operations.

Detection Signatures

GTIG published YARA-style hunting rules for SILKBELL and WAVESHAPER.V2. Key detection strings for WAVESHAPER.V2 on Windows include:

$ss1 = "start /min powershell -w h"
$ss2 = "[scriptblock]::Create([System.Text.Encoding]::UTF8.GetString"
$ss3 = "Invoke-WebRequest -UseBasicParsing"
$ss4 = "-Method POST -Body"
$ss5 = "packages.npm.org/product1"

If you are running endpoint detection, these strings are worth adding to your hunting rules immediately.

Beyond North Korea: UNC6780 and the Broader Threat

One of the most underreported aspects of this wave of supply chain attacks is that it is not exclusively a North Korean operation. A separate threat actor, tracked as UNC6780 (also known as TeamPCP), has been running a parallel campaign with a different modus operandi and different objectives.

What UNC6780 Did

UNC6780 targeted the CI/CD pipeline rather than developer machines directly. The group poisoned:

• GitHub Actions workflows — Injecting malicious steps into widely-used GitHub Actions to steal secrets from CI runners

• PyPI packages associated with popular developer tools including:

  • Trivy — A widely-used container vulnerability scanner

  • Checkmarx — A major application security testing platform

  • LiteLLM — An increasingly popular open-source LLM integration library

The Scale of Credential Exposure

Google's analysis concluded that hundreds of thousands of secrets may already be circulating as a result of UNC6780's operations. This is particularly serious because:

• CI/CD environments have access to production deployment credentials

• Secrets exposed in GitHub Actions runners often include cloud provider keys with broad permissions

• Developers and security teams may not know which secrets were exposed, making rotation difficult to scope

The potential downstream impact includes further supply chain attacks, SaaS environment compromises leading to customer data exposure, ransomware and extortion events, and continued cryptocurrency theft — North Korea's primary financial motivation for these operations.

Why Traditional Security Tools Miss This

A natural question is: why aren't existing security tools catching these attacks? The answer is multi-layered.

Static Analysis Limitations

The two-stage loader design is specifically architected to defeat static analysis. When a security scanner examines pino-debugger or logutilkit, it finds a small script with minimal code — often less than 50 lines. There is no obvious malicious payload to flag. The actual malware is fetched at runtime from a remote server.

The Postinstall Hook Problem

The postinstall hook in npm executes automatically during npm install. Many developers and CI systems run installs in environments where security tooling is not monitoring process execution. Even when it is, distinguishing a legitimate postinstall script (used by many real packages) from a malicious one requires behavioral analysis, not just static inspection.

AI Coding Assistants as Inadvertent Amplifiers

This attack vector has an alarming interaction with modern AI coding tools. When developers use AI assistants to suggest dependencies or generate boilerplate code, those assistants draw from public registry metadata. If an attacker optimizes a malicious package's metadata — name, description, keywords — to match common developer search patterns, AI tools may surface and recommend the package to developers who install it without manual vetting.

This effectively turns AI coding assistants into a high-speed, high-trust distribution mechanism for malware.

The Trust Architecture of Package Managers

The entire package manager ecosystem is built on a model of implicit trust. When you run npm install axios, you trust that the axios maintainer's account has not been compromised. When you run pip install fluxhttp, you trust that the package is what it claims to be. There is no cryptographic attestation of publisher identity at the point of install in most package managers — and even where signing exists (as with some PyPI packages), it is inconsistently adopted.

Who Is Behind This? Threat Actor Attribution

UNC1069 / BlueNoroff / Stardust Chollima

The primary threat cluster behind the Contagious Interview campaign is tracked by different firms under different names, reflecting the overlapping and modular nature of North Korean cyber operations:

• Google GTIG: UNC1069

• Microsoft: Sapphire Sleet / Stardust Chollima

• Various: BlueNoroff (a sub-group of Lazarus Group)

UNC1069 is assessed to be a financially motivated North Korean state-sponsored actor active since at least 2018. Their primary objectives are cryptocurrency theft and credential harvesting that can be monetized or used for further intrusions. This distinguishes them from North Korean actors focused on espionage or destructive operations.

The group operates with a factory-style playbook: rotating aliases, pre-built GitHub repository templates, typosquatted package names, and a consistent RAT/infostealer toolkit that is regularly updated. Microsoft has noted consistent evolution in tooling and infrastructure, with clear behavioral continuity across operations.

Infrastructure Indicators

The Security Alliance (SEAL) blocked 164 UNC1069-linked domains between February 6 and April 7, 2026. Infrastructure characteristics include:

• Domains impersonating Microsoft Teams, Zoom, and other video conferencing platforms

• Use of Proton Mail accounts for attacker-controlled email addresses

• C2 infrastructure mixing dedicated servers with platform-hosted content

• Persona networks on GitHub with aliases like golangorg, aokisasakidev, aokisasakidev1, maxcointech1010, maxcointech0000

Immediate Action Items for Developers and Security Teams

If you are a developer or part of a security team responsible for software supply chain integrity, here is what you should be doing right now.

1. Check Your Axios Exposure

If your applications depend on axios and your lockfile or package cache pulled version 1.14.1 or 0.30.4 between March 31, 2026 00:21 UTC and approximately 03:20 UTC, you may have been exposed. Audit your package-lock.json, yarn.lock, or pnpm-lock.yaml for the affected versions and check whether plain-crypto-js appears as a dependency.

2. Rotate Exposed Credentials Immediately

If you believe a developer machine may have been compromised, assume all credentials stored on that machine are compromised. This includes:

• Cloud provider access keys and secret keys

• Kubernetes service account tokens

• SSH private keys

• API tokens for any service

• GitHub personal access tokens

• .env file contents

Rotate all of these. Do not wait to confirm compromise — treat exposure as confirmed.

3. Implement Internal Package Mirrors

Stop pulling directly from public registries. Set up internal mirrors (using tools like Verdaccio for npm, devpi for PyPI, or Artifactory/Nexus for multiple ecosystems) that proxy external requests. Configure your mirrors to:

• Enforce strict version pinning

• Verify cryptographic hashes against known-good values

• Alert on unexpected hash changes

• Block packages published by unrecognized maintainers

4. Enable Behavioral Monitoring on Developer Machines

Standard endpoint protection is insufficient. You need behavioral monitoring tuned specifically for development environments. Key indicators of compromise to watch for:

• A postinstall script opening a network connection to an external IP

• Environment variable enumeration from within a Node.js or Python process

• Unexpected SSH connection attempts to unrecognized hosts

• File system access to ~/.kube/config, ~/.ssh/, or .env files from a newly installed package

• High-volume file exfiltration from a dev machine

If any of these patterns are detected, isolate the machine immediately — regardless of the productivity impact.

5. Audit Your CI/CD Pipeline for UNC6780 Indicators

Given UNC6780's targeting of GitHub Actions, audit your workflow files for:

• Unexpected changes to workflow YAML files in your repository history

• Actions that were recently updated to include new steps

• Any reference to Trivy, Checkmarx, or LiteLLM packages — verify their integrity

• CI runner logs for unexpected outbound connections or secret access patterns

6. Brief Your Development Team on the Recruitment Lure

The fake recruiter vector is still the primary delivery mechanism. Every developer on your team should know:

• Legitimate companies do not ask candidates to install npm packages or run arbitrary code as part of a technical assessment

• Any "coding test" that requires running pre-written code from an external source should be treated as a red flag

• Job-related communications on LinkedIn, Telegram, and Slack should be treated with the same skepticism as phishing emails

The Bigger Picture: A Systemic Vulnerability

The Contagious Interview campaign is not a one-off incident. It is the manifestation of a structural vulnerability in how modern software is built.

The average enterprise application has thousands of third-party dependencies. Those dependencies have their own dependencies. The full transitive dependency tree of a typical Node.js or Python application can easily exceed 500 packages — most of which have never been reviewed by anyone at the organization consuming them. The entire architecture assumes that package registry maintainers are legitimate, that their accounts are secure, and that packages behave as advertised.

North Korean actors have identified this as a systemic weak point and are exploiting it systematically. The 1,700+ packages tracked in the Contagious Interview campaign represent years of patient, methodical effort to insert malicious code into the fabric of the software supply chain.

The Axios breach in particular represents a new level of ambition. Targeting a maintainer account rather than publishing a new package means bypassing the "unknown publisher" heuristic entirely. Axios is not a low-download package from an unrecognized author — it is the most downloaded JavaScript HTTP library in existence. The same attack methodology could be applied to any popular package whose maintainer can be socially engineered or phished.

As Google's threat intelligence team noted, the potential downstream consequences are severe and long-tailed: further supply chain attacks using stolen credentials, SaaS compromises, ransomware, and cryptocurrency theft could continue to materialize for months as the harvested credentials are operationalized.

Conclusion

The Contagious Interview campaign represents the most significant sustained attack on open-source software infrastructure to date. It is technically sophisticated in its staging, operationally patient in its social engineering, and strategically ambitious in its cross-ecosystem scope.

For developers, the takeaway is uncomfortable but necessary: the open-source supply chain is not a safe, neutral utility. It is an active attack surface, and it is being systematically targeted by nation-state actors with significant resources and patience.

The tools to defend against this exist — internal mirrors, hash verification, behavioral monitoring, developer education — but they require investment and intentionality. The cost of not investing in them is, as Axios demonstrated, potentially catastrophic.

Stay skeptical. Verify your dependencies. Rotate your credentials. And if a recruiter asks you to run their code — ask why.

Sources and Further Reading

• Socket Security — Contagious Interview Campaign Tracker: https://socket.dev/supply-chain-attacks/north-korea-s-contagious-interview-campaign

• Google Cloud Threat Intelligence — North Korea-Nexus Threat Actor Compromises Axios NPM Package: https://cloud.google.com/blog/topics/threat-intelligence/north-korea-threat-actor-targets-axios-npm-package

• The Hacker News — N. Korean Hackers Spread 1,700 Malicious Packages Across npm, PyPI, Go, Rust (April 2026)

• Security Alliance (SEAL) — UNC1069 Domain Blocking Report (Feb–April 2026)

• SANS Cyber Threat Intelligence Summit 2026 — Hunting North Korea's Contagious Interview Operation

• Microsoft Threat Intelligence — Statement on DPRK-linked financially motivated actors (April 2026)