A coordinated cyber campaign linked to North Korean threat actors has been identified as targeting software supply chains and enterprise users through malicious packages and deceptive meeting links, enabling data theft and long-term system compromise across multiple platforms.
Malicious Packages and Expanding Supply Chain Threat
Security researchers said more than 1,700 malicious packages have been identified since January 2025 as part of a broader campaign affecting open-source ecosystems. The activity includes the poisoning of a widely used npm package to distribute an implant known as WAVESHAPER.V2 after compromising a maintainer’s account through social engineering.
The campaign, referred to as Contagious Interview, has spread across ecosystems including Go, Rust, and PHP, with malicious packages designed to appear as legitimate developer tools. Researchers noted that the operation reflects a persistent and well-resourced effort to infiltrate developer environments for espionage and financial gain.
The attack has been attributed to a financially motivated threat actor tracked as UNC1069, which overlaps with groups such as BlueNoroff, Sapphire Sleet, and Stardust Chollima. Investigators said multiple domains impersonating services such as Microsoft Teams and Zoom were used to facilitate the campaign
FCRF Launches Premier CISO Certification Amid Rising Demand for Cybersecurity Leadership
Deceptive Meeting Links and Social Engineering Tactics
The operation relies heavily on social engineering, with attackers distributing fraudulent meeting links through platforms such as Telegram, LinkedIn, and Slack. These links mimic legitimate video conferencing services and are used to deliver malware when accessed.
Researchers said the attackers often impersonate trusted contacts or credible organisations, leveraging previously compromised accounts to increase the likelihood of success. Victims are typically drawn into rescheduling calls after initial failures, allowing attackers to delay detection while maintaining access.
According to findings, the malware establishes contact with attacker-controlled servers and enables targeted post-exploitation activity across Windows, macOS, and Linux systems. The approach allows threat actors to extract sensitive data while remaining undetected for extended periods.
Advanced Malware Capabilities and Post-Compromise Activity
The malware deployed in the campaign includes loaders designed to fetch secondary payloads with infostealer and remote access capabilities. These tools focus on collecting browser data, credentials from password managers, and cryptocurrency wallet information.
A Windows variant delivered through a package named license-utils-kit was described as a full post-compromise implant capable of executing commands, logging keystrokes, stealing data, uploading files, and deploying remote access tools. It can also create encrypted archives and download additional modules to extend its functionality.
Researchers said the malicious code is often embedded within seemingly legitimate functions, allowing it to evade detection during installation. In some cases, it is concealed within standard logging methods, making it difficult for developers to identify.
Microsoft said financially driven North Korean actors are continuing to evolve their tactics, infrastructure, and targeting strategies while maintaining consistent operational intent. The findings underscore the growing sophistication of supply chain attacks and the risks posed to developers and organisations relying on open-source software.
