216.73.216.86

North Korea's Contagious Interview Campaign Spreads Across 5 Ecosystems, Delivering Staged RAT Payloads

· Published 08/04/2026 11:17 · Modified 08/04/2026 11:02

Export JSON

Essential information

Published
08/04/2026 11:17
Modified
08/04/2026 11:02
Source / Author
AlienVault
Confidence
100/100
Report type(s)
threat-report
Labels / Tags
contagious interview credential theft cross-ecosystem cryptocurrency wallet developer tooling north korea pypi npm rat staged loader supply chain attack
Tags
2026-04-08 contagious interview credential-theft cross-ecosystem cryptocurrency wallet developer tooling north korea pypi npm rat staged loader supply chain attack
Related entities
4 indicators, 4 observables, 1 intrusion sets (apt), 16 techniques (mitre), 1 others

Description

A North Korean threat operation has published malicious packages across npm, PyPI, Go Modules, crates.io, and Packagist, impersonating legitimate . The campaign uses GitHub aliases including golangorg and aokisasakidev to distribute staged malware loaders that contact actor-controlled infrastructure, retrieve payloads from Google Drive, and deliver platform-specific second-stage malware. The loaders are hidden behind normal-looking API functions in logging and utility libraries. Windows variants include full remote access trojans with capabilities for shell execution, keylogging, browser and wallet theft, sensitive file collection, and AnyDesk deployment. The operation demonstrates coordinated supply chain attacks with shared infrastructure patterns, reused extraction directories, and consistent staging logic across multiple programming languages.

External references