North Korea's Contagious Interview Campaign Spreads Across 5 Ecosystems, Delivering Staged RAT Payloads

A North Korean threat operation has published malicious packages across npm, PyPI, Go Modules, crates.io, and Packagist, impersonating legitimate developer tooling. The campaign uses GitHub aliases including golangorg and aokisasakidev to distribute staged malware loaders that contact actor-controlled infrastructure, retrieve payloads from Google Drive, and deliver platform-specific second-stage malware. The loaders are hidden behind normal-looking API functions in logging and utility libraries. Windows variants include full remote access trojans with capabilities for shell execution, keylogging, browser and wallet theft, sensitive file collection, and AnyDesk deployment. The operation demonstrates coordinated cross-ecosystem supply chain attacks with shared infrastructure patterns, reused extraction directories, and consistent staging logic across multiple programming languages.

Pulse ID: 69d61d25c472b8eb580c2996
Pulse Link: https://otx.alienvault.com/pulse/69d61d25c472b8eb580c2996
Pulse Author: AlienVault
Created: 2026-04-08 09:17:25

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#AnyDesk #Browser #CyberSecurity #GitHub #Golang #Google #InfoSec #Korea #Malware #NPM #NorthKorea #OTX #OpenThreatExchange #PyPI #RAT #RemoteAccessTrojan #SupplyChain #Trojan #Troll #Windows #bot #AlienVault