The Threat Codex1d ago
First instance of PylangGhost RAT observed on npm
#PylangGhostRAT #ContagiousInterview #npm
https://kmsec.uk/blog/pylangghost-npm/
First instance of PylangGhost RAT observed on npm | kmsec.uk

A DPRK/FAMOUS CHOLLIMA-attributed malware historically not observed on npm

The Threat CodexFeb 20
GitLab Threat Intelligence Team reveals North Korean tradecraft
#ContagiousInterview
https://about.gitlab.com/blog/gitlab-threat-intelligence-reveals-north-korean-tradecraft/
GitLab Threat Intelligence Team reveals North Korean tradecraft

Gain threat intelligence about North Korea’s Contagious Interview and fake IT worker campaigns and learn how GitLab disrupted their operations.

about.gitlab.com
AI SparkupJan 27

VSCode 폴더 열 때 조심하세요, AI 에이전트가 해커 편이 됩니다

VSCode의 tasks.json 취약점으로 AI 코딩 어시스턴트까지 조종당할 수 있습니다. 북한 해킹 그룹이 실제 악용 중인 공격 기법과 방어 방법을 소개합니다.

https://aisparkup.com/posts/8603

Cindʎ Xiao 🍉Jan 22

RE: https://social.troll.academy/@mushu/115937976404644181

https://runjak.codes/posts/2026-01-21-adversarial-coding-test/

Seems really similar to a recently reported variant of a North Korean state aligned campaign, ContagiousInterview. They've moved to VS Code tasks now

cc @lazarusholic

https://www.jamf.com/blog/threat-actors-expand-abuse-of-visual-studio-code/
https://opensourcemalware.com/blog/contagious-interview-vscode

#DPRK #ContagiousInterview #lazarus #LazarusGroup #FamousChollima

The Threat CodexJan 13
Hunting Lazarus: Inside the Contagious Interview C2 Infrastructure
#ContagiousInterview
https://redasgard.com/blog/hunting-lazarus-contagious-interview-c2-infrastructure
Hunting Lazarus: Inside the Contagious Interview C2 Infrastructure

We found North Korean malware in a client's Upwork project. Then we spent five days mapping the attackers' infrastructure.

Red Asgard
The Threat CodexNov 29
Inside the GitHub Infrastructure Powering North Korea’s Contagious Interview npm Attacks
#ContagiousInterview #OtterCookie
https://socket.dev/blog/north-korea-contagious-interview-npm-attacks
Inside the GitHub Infrastructure Powering North Korea’s Cont...

Socket Threat Research maps a rare inside look at OtterCookie’s npm-Vercel-GitHub chain, adding 197 malicious packages and evidence of North Korean op...

Socket
Sekoia.ioJul 21, 2025

🔥 Hot summer, sizzling crypto... and scammers turning up the heat 🔥

Back in March, Sekoia #TDR team published a deep-dive report on a #Lazarus cluster we dubbed #ClickFake Interview, leveraging the #ClickFix technique in their #ContagiousInterview campaign.

lazarusholicJul 15, 2025
"Contagious Interview Campaign Escalates With 67 Malicious npm Packages and New Malware Loader" published by Socket. #ContagiousInterview, #NPM, #XORIndex, #DPRK, #CTI https://socket.dev/blog/contagious-interview-campaign-escalates-67-malicious-npm-packages
lazarusholicJul 2, 2025
"Inside North Korea's Global Cyber Playbook" published by Proofpoint. #ContagiousInterview, #ITWorker, #Podcast, #TA427, #DPRK, #CTI https://podcasts.apple.com/us/podcast/comic-sans-and-cybercrime-inside-north-koreas-global/id1612506550?i=1000715261677
Comic Sans and Cybercrime: Inside North Korea’s Global Cyber Playbook

Podcast Episode · DISCARDED: Tales From the Threat Research Trenches · 07/01/2025 · 53m

Apple Podcasts
lazarusholicJun 25, 2025
"Another Wave: North Korean Contagious Interview Campaign Drops 35 New Malicious npm Packages" published by Socket. #BeaverTail, #ContagiousInterview, #HexEval, #NPM, #DPRK, #CTI https://socket.dev/blog/north-korean-contagious-interview-campaign-drops-35-new-malicious-npm-packages