The 1,700-Package Blitz: North Korea’s “Contagious Interview” Infiltrates Every Major Dev Registry

Researchers at Socket have identified a massive new cluster of malicious packages linked to North Korea’s notorious “Contagious Interview” campaign. By impersonating legitimate developer tooling and operating across five different software ecosystems, the threat actors are casting a wide net to snare engineers and compromise corporate environments.

The “Contagious Interview” operation is not a new threat, but its recent expansion is unprecedented. Socket researchers have been tracking this activity since 2024 and now maintain a campaign page monitoring more than 1,700 malicious packages.

What sets this latest cluster apart is its sheer breadth. The actors successfully published poisoned code across:

• npm: dev-log-core, logger-base
• PyPI: logutilkit, fluxhttp
• Go Modules: github.com/golangorg/formstash
• Rust (crates.io): logtrace
• Packagist (PHP): golangorg/logkit

By using the alias “golangorg” and names that mimic popular libraries like pino-debug and debug-logfmt, the actors exploit the split-second trust developers place in familiar-looking utility names.

The malicious packages are designed to function as sophisticated “malware loaders.” Once a developer integrates one of these libraries into their environment, the code initiates a multi-stage infection process designed to evade standard security scans.

As the Socket report details:

“The loaders retrieve a downloadUrl from threat actor-controlled infrastructure, rewrite Google Drive sharing links into direct-download form, fetch ZIP archives such as ecw_update.zip, and deliver platform-specific second-stage payloads”.

Researchers identified a GitHub account, maxcointech1010, that was used to provide “social proof” for the malicious packages.

This account featured a “diverse project portfolio spanning mobile commerce, AI, and full-stack applications,” which researchers say was more about “persona building” than actual software development.

“In practice, maxcointech1010 looked less like a clean registry publisher and more like a cloned-project persona that could be used to host, collect, and present plausible developer content”.

By cloning legitimate upstream projects and preserving their metadata, the actor created an “operationally valuable” footprint that made the campaign look larger and more active than it actually was.

The Contagious Interview campaign serves as a stark reminder that the developer’s local machine is the new front line. When an engineer downloads a library to “quickly debug” a project, they may inadvertently be opening a door for state-sponsored actors.