Hunting North Korea’s Contagious Interview Operation

The presentation by senior threat analyst Kir Boyenko details North Korea’s state‑sponsored “contagious interview” campaign, which masquerades as recruiter outreach, test assignments, or take‑home exams to trick developers into executing malicious code. By targeting open‑source ecosystems—primarily npm, but also Python, Rust, Go, and VS Code extensions—the actors embed malware directly into the software supply chain.

The operation relies on typo‑squatting, AI‑generated package recommendations, and automated mass publishing. Hundreds of malicious packages have been released, amassing tens of thousands of downloads and compromising thousands of developer machines. The malware zoo includes multi‑stage loaders such as Beaver Tail, Auto‑Cookookie, and Invisible Ferret, which steal browser credentials, cryptocurrency wallets, and even macOS keychains before fetching additional payloads.

A striking example is a typo‑squatted npm package that mirrors a legitimate library’s README, then executes obfuscated JavaScript containing a curl command to a C2 server on port 1224. The speaker cites colleague Rachel Cook’s “fat‑finger syndrome” video, illustrating how rushed developers or AI‑driven suggestions can inadvertently install these trojanized modules.

The campaign’s scale—continuous weekly releases, hundreds of aliases, and a factory‑like production model—means organizations must adopt proactive defenses: generate detection signatures, monitor supply‑chain integrity, enforce strict package vetting, and educate developers about social‑engineering lures. Failure to do so risks further crypto theft and broader credential compromise.