North Korea's Contagious Interview Campaign Spreads Across 5 Ecosystems, Delivering Staged RAT Payloads
Essential information
- Published
- 08/04/2026 11:17
- Modified
- 08/04/2026 11:02
- Source / Author
- AlienVault
- Confidence
- 100/100
- Report type(s)
- threat-report
- Labels / Tags
- contagious interview credential theft cross-ecosystem cryptocurrency wallet developer tooling north korea pypi npm rat staged loader supply chain attack
- Tags
- 2026-04-08 contagious interview credential-theft cross-ecosystem cryptocurrency wallet developer tooling north korea pypi npm rat staged loader supply chain attack
- Related entities
- 4 indicators, 4 observables, 1 intrusion sets (apt), 16 techniques (mitre), 1 others
Description
A North Korean threat operation has published malicious packages across npm, PyPI, Go Modules, crates.io, and Packagist, impersonating legitimate developer tooling. The campaign uses GitHub aliases including golangorg and aokisasakidev to distribute staged malware loaders that contact actor-controlled infrastructure, retrieve payloads from Google Drive, and deliver platform-specific second-stage malware. The loaders are hidden behind normal-looking API functions in logging and utility libraries. Windows variants include full remote access trojans with capabilities for shell execution, keylogging, browser and wallet theft, sensitive file collection, and AnyDesk deployment. The operation demonstrates coordinated cross-ecosystem supply chain attacks with shared infrastructure patterns, reused extraction directories, and consistent staging logic across multiple programming languages.