Feed
HighPublished 7 Apr 202614 packages · 6 versions

DPRK Contagious Interview campaign expands across 5 ecosystems

Summary

Socket disclosed a fresh wave of DPRK Contagious Interview / FAMOUS CHOLLIMA packages spanning npm, PyPI, Go modules, crates.io, and Packagist. They impersonate logging / license developer tooling and act as staged loaders for credential stealers and RATs across Windows, macOS and Linux. The Windows variant deploys a keylogger and AnyDesk for hands-on access.

credential-theftinfostealertyposquatci-cd-compromise
Threat actor
Famous Chollima (DPRK)
Detected by
Socket
Also known as
Contagious Interview · CL-STA-0240
Ecosystems
crates.ioGonpmPackagistPyPI
Packages tracked
14

What happened

Socket disclosed a fresh wave of the DPRK Contagious Interview campaign on 7 April 2026, spanning five package ecosystems simultaneously: npm, PyPI, Go modules, crates.io and Packagist. Socket's tracker now attributes more than 1,700 malicious packages to the cluster since 2024, including a prior wave of 338 npm packages.

The packages impersonate logging utilities, debug helpers and licence-management tooling — categories developers grab without scrutiny. They act as staged loaders for credential stealers and remote-access trojans across Windows, macOS and Linux. The Windows variant additionally deploys a keylogger and installs AnyDesk for hands-on-keyboard access.

Threat-actor personas behind the publishers include golangorg, aokisasakidev / aokisasakidev1, and maxcointech1010 / maxcointech0000, with registration emails like aokisasaki1122@gmail.com and shiningup1996@gmail.com. Distribution still relies on fake job lures: contractors and developers in crypto, blockchain and AI are messaged with "interview task" repositories that pull these packages as dependencies.

Key IOCs:

  • C2 / delivery: apachelicense.vercel.app, ngrok-free.vercel.app, logkit.onrender.com, logkit-tau.vercel.app, 66.45.225.94.
  • Stage-2 hashes — Linux 9a541dffb7fc18dc71dbc8523ec6c3a71c224ffeb518ae3a8d7d16377aebee58, macOS bb2a89001410fa5a11dea6477d4f5573130261badc67fe952cfad1174c2f0edd, Windows 7c5adef4b5aee7a4aa6e795a86f8b7d601618c3bc003f1326ca57d03ec7d6524.

Attribution to Famous Chollima (overlapping with the broader Lazarus umbrella) is consistent across Socket, Microsoft, Mandiant and Crowdstrike reporting.

Affected packages (14)

  • PyPIapachelicense
    0.1a1
  • npmdebug-fmt
  • npmdebug-glitz
  • npmdev-log-core
    1.0.5
  • PyPIfluxhttp
  • Gogithub.com/aokisasakidev/mit-license-pkg
    1.0.2
  • Gogithub.com/golangorg/formstash
    1.0.5
  • Packagistgolangorg/logkit
  • PyPIlicense-utils-kit
    0.1rc3
  • npmlogger-base
  • npmlogkitx
  • crates.iologtrace
    1.0.2
  • PyPIlogutilkit
  • npmpino-debugger

Impact

  • Cross-ecosystem coverage means one campaign can hit nearly any developer stack
  • Windows variant deploys keylogger and AnyDesk for hands-on access
  • Targets crypto, blockchain and AI developers via fake job lures

What to do

  1. 1Block listed C2s (apachelicense.vercel.app, logkit.onrender.com, logkit-tau.vercel.app, 66.45.225.94)
  2. 2Remove any of the named packages and rotate credentials
  3. 3Treat unsolicited contractor / interview-task repos as malware delivery

References

multi-2026-04-07-contagious-interview-5-ecosystems