Full Report
The North Korea-linked persistent campaign known as Contagious Interview has spread its tentacles by publishing malicious packages targeting the Go, Rust, and PHP ecosystems. "The threat actor's packages were designed to impersonate legitimate developer tooling [...], while quietly functioning as malware loaders, extending Contagious Interview’s established playbook into a coordinated
Analysis Summary
# Threat Actor: Contagious Interview (UNC1069)
## Attribution & Identity
* **Actor Name:** Contagious Interview
* **Aliases/Overlaps:** UNC1069, BlueNoroff, Sapphire Sleet, Stardust Chollima.
* **Affiliation:** North Korea-linked (DPRK).
* **Identity Notes:** This actor is characterized as a well-resourced, persistent threat group operating with both espionage and financial motivations.
## Activity Summary
* **Current Campaign:** A coordinated cross-ecosystem supply chain operation spreading over 1,700 malicious packages across npm, PyPI, Go, Rust (crates.io), and PHP (Packagist) since January 2025.
* **Methodology:** The actor publishes packages impersonating legitimate developer tools. Unlike typical "typosquatting," the malicious code is not triggered upon installation but is embedded within legitimate methods/functions to evade detection.
* **Complementary Ops:** Use of "ClickFix" lures via fake meeting links (Microsoft Teams/Zoom) and social engineering of package maintainers to poison popular libraries (e.g., Axios).
## Tactics, Techniques & Procedures
* **Supply Chain Poisoning:** Publishing malicious libraries to open-source repositories; compromising maintainer accounts via social engineering.
* **Execution via Legitimate Functions:** Hiding malicious logic within sensible methods (e.g., `Logger::trace`) to avoid suspicion during code reviews.
* **Social Engineering:** Multi-week, low-pressure campaigns on Telegram, LinkedIn, and Slack impersonating known contacts or credible brands.
* **Initial Access:** Delivering fraudulent meeting links that serve "ClickFix" lures to execute platform-specific loaders.
* **Operational Patience:** Operators deliberately remain dormant or passive for a period following initial compromise to maximize value and longevity.
* **Credential/Data Theft:** Capabilities to gather data from web browsers, password managers, and cryptocurrency wallets.
* **Specific TTPs:**
* Deployment of AnyDesk for remote access.
* Keystroke logging and shell command execution.
* Creation of encrypted archives for data exfiltration.
## Targeting
* **Sectors:** Software Development, Cryptocurrency, Financial Services.
* **Geography:** Global (targeting open-source ecosystems used worldwide).
* **Victims:** Software developers, DevOps engineers, and maintainers of popular libraries (e.g., Axios).
## Tools & Infrastructure
* **Malware Families:**
* WAVESHAPER.V2 (delivered via poisoned Axios package).
* Infostealers and RATs (Remote Access Trojans).
* Platform-specific second-stage loaders (Windows, macOS, Linux).
* **Infrastructure:**
* **Impersonated Domains:** 164 domains impersonating Microsoft Teams and Zoom (e.g., used for ClickFix lures).
* **Defanged Examples:**
* github[.]com/golangorg/formstash
* github[.]com/aokisasakidev/mit-license-pkg
* **Malicious Packages:** `dev-log-core`, `logtrace`, `license-utils-kit`, `logutilkit`, `fluxhttp`.
## Implications
Contagious Interview represents a sophisticated evolution in DPRK cyber strategy, moving from simple social engineering to deep, systematic infiltration of the software supply chain. By embedding malware in legitimate developer functions across five different programming ecosystems, the actor achieves a wide-reaching initial access footprint that facilitates long-term espionage and high-value financial theft, particularly targeting cryptocurrency assets.
## Mitigations
* **Supply Chain Security:** Implement automated software composition analysis (SCA) to detect anomalous code in dependencies.
* **Verification:** Strictly verify the provenance of new or updated packages, even those that appear to have legitimate functionality.
* **Behavioral Monitoring:** Monitor developer environments for unauthorized use of remote access tools like AnyDesk.
* **Communication Hygiene:** Educate employees to verify "meeting invites" received via third-party chat apps (Telegram/Slack) through official corporate channels.
* **Technical Controls:** Block the 164 known UNC1069-linked domains and employ "ClickFix" detection mechanisms in web proxies and endpoint protection.