A persistent software supply chain campaign attributed to North Korean threat actors has significantly expanded, publishing over 1,700 malicious packages across multiple open-source code registries. The operation, dubbed “Contagious Interview,” now targets developers in the Go, Rust, and PHP ecosystems in addition to its previous focus on npm for JavaScript and PyPI for Python.
According to security researchers, the malicious packages impersonate legitimate developer tooling and popular libraries. Once a developer installs one of these packages, it functions as a malware loader. This initial component establishes a connection to an attacker-controlled server to download and execute a secondary, more damaging payload. This method gives the attackers an initial foothold on a developer’s machine.
The primary impact is the compromise of development environments, which can lead to the theft of credentials, source code, and other intellectual property. An infected developer machine can also serve as a gateway for attackers to pivot into a company's internal network, escalating the potential damage far beyond a single computer.
The expansion into Go, Rust, and PHP indicates a concerted effort to compromise a broader segment of the software development community. By targeting the foundational building blocks used in modern applications, the attackers aim to infect organizations from within their development pipelines. This campaign extends the established playbook of state-sponsored actors who view developers as high-value targets for espionage and financial gain. Organizations are advised to implement strict dependency management practices and utilize security scanning tools to vet third-party code.
