North Korea's Contagious Interview Campaign Spreads Across 5 Ecosystems, Delivering Staged RAT Payloads

A North Korean threat operation has published malicious packages across npm, PyPI, Go Modules, crates.io, and Packagist, impersonating legitimate developer tooling. The campaign uses GitHub aliases including golangorg and aokisasakidev to distribute staged malware loaders that contact actor-controlled infrastructure, retrieve payloads from Google Drive, and deliver platform-specific second-stage malware. The loaders are hidden behind normal-looking API functions in logging and utility libraries. Windows variants include full remote access trojans with capabilities for shell execution, keylogging, browser and wallet theft, sensitive file collection, and AnyDesk deployment. The operation demonstrates coordinated cross-ecosystem supply chain attacks with shared infrastructure patterns, reused extraction directories, and consistent staging logic across multiple programming languages.

Pulse ID: 69d61d25c472b8eb580c2996
Pulse Link: https://otx.alienvault.com/pulse/69d61d25c472b8eb580c2996
Pulse Author: AlienVault
Created: 2026-04-08 09:17:25

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#AnyDesk #Browser #CyberSecurity #GitHub #Golang #Google #InfoSec #Korea #Malware #NPM #NorthKorea #OTX #OpenThreatExchange #PyPI #RAT #RemoteAccessTrojan #SupplyChain #Trojan #Troll #Windows #bot #AlienVault

Threat Brief: Widespread Impact of the Axios Supply Chain Attack

A sophisticated supply chain attack compromised the Axios JavaScript library after threat actors hijacked an npm maintainer account, releasing malicious versions v1.14.1 and v0.30.4. These versions contained a hidden dependency called plain-crypto-js, which deployed a cross-platform remote access Trojan affecting Windows, macOS, and Linux systems. The malware performed reconnaissance, established persistence, and included self-destruct capabilities for evasion. Using a heavily obfuscated dropper script, the attack fetched platform-specific payloads from a command-and-control server while disguising traffic as legitimate npm registry requests. All variants shared identical C2 protocols and beaconed every 60 seconds. The campaign impacted multiple sectors across the U.S., Europe, Middle East, South Asia, and Australia, with analysis showing overlap with DPRK-linked operations.

Pulse ID: 69cda35868f6af78fc09b167
Pulse Link: https://otx.alienvault.com/pulse/69cda35868f6af78fc09b167
Pulse Author: AlienVault
Created: 2026-04-01 22:59:36

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Asia #Australia #CyberSecurity #DPRK #ELF #Europe #InfoSec #Java #JavaScript #Linux #Mac #MacOS #Malware #MiddleEast #NPM #OTX #OpenThreatExchange #RAT #RemoteAccessTrojan #SouthAsia #SupplyChain #Trojan #Windows #bot #iOS #AlienVault

North Korean Hackers Expand Malicious Package Reach Across Multiple Coding Ecosystems

Beware of the Trojan horse in your code: North Korean hackers have quietly infiltrated multiple package ecosystems, publishing around 1,700 malicious packages that masquerade as legitimate developer tools but act as malware loaders. This sneaky campaign, linked to the Contagious Interview group, puts…

https://osintsights.com/north-korean-hackers-expand-malicious-package-reach-across-multiple-coding-ecosy?utm_source=mastodon&utm_medium=social

#NorthKoreanHackers #ContagiousInterview #MalwareOperations #PackageEcosystem #Npm

Claude-Code-Vorfall: npm-Paketierungsfehler wird für Malware-Kampagne über GitHub genutzt

Die Aktivität ist Teil einer umfassenderen Malware-Verbreitung, die seit Februar 2026 beobachtet wird.

https://www.all-about-security.de/claude-code-vorfall-npm-paketierungsfehler-wird-fuer-malware-kampagne-ueber-github-genutzt/

#claude #claudecode #npm #malware

North Korea-linked actor compromises axios NPM package

A shocking discovery by Google Threat Intelligence Group has exposed a vulnerability in the popular axios NPM package, which has over 100 million weekly downloads, and has raised urgent questions about the trustworthiness of software supply chains. A malicious dependency was secretly introduced into axios releases, putting countless…

https://osintsights.com/north-korea-linked-actor-compromises-axios-npm-package

#Axios #Npm #NodePackageManager #NorthKorea #GoogleThreatIntelligenceGroup

The Axios lead discovered how they were compromised.
TLDR; Microsoft Teams Meeting 💀

https://github.com/axios/axios/issues/10636#issuecomment-4180237789

#npm #nodejs #javascript #supplychain #devops #secops

Detections for the Axios supply chain compromise

A supply chain attack targeting Axios npm package versions 1.14.1 and 0.30.4 introduced a malicious transitive dependency ([email protected]) that executed during installation. The attack deploys cross-platform payloads across Linux, Windows, and macOS through a consistent pattern: Node.js spawns OS-native shells to retrieve and execute remote payloads in detached or hidden contexts. Linux victims receive a Python-based RAT, Windows systems get a PowerShell backdoor with registry persistence, and macOS hosts are compromised with a Mach-O binary backdoor. All variants beacon to the same C2 infrastructure, performing host fingerprinting, process enumeration, filesystem reconnaissance, and arbitrary code execution. The malicious activity is reliably detected through behavioral signatures focusing on unusual Node.js process ancestry and remote payload retrieval rather than static indicators.

Pulse ID: 69d4e63921cbadb426b7cd2a
Pulse Link: https://otx.alienvault.com/pulse/69d4e63921cbadb426b7cd2a
Pulse Author: AlienVault
Created: 2026-04-07 11:10:49

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#BackDoor #CyberSecurity #InfoSec #Linux #Mac #MacOS #NPM #Nodejs #OTX #OpenThreatExchange #PowerShell #Python #RAT #SupplyChain #Windows #bot #iOS #AlienVault

Google for Developers (@googledevs)

Google AI Studio의 대형 업데이트를 소개한다. 이제 프로덕션 앱 구축을 위해 NPM 패키지 전체 스택 지원, API 키·시크릿의 안전한 관리, 복잡한 다중 파일 수정을 돕는 Antigravity 코딩 에이전트를 제공한다.

https://x.com/googledevs/status/2041320050414493971

#googleaistudio #npm #codingagent #ai #developertools