North Korea Spreads 1,700 Malicious Packages Across npm, PyPI, Go, Rust

Security researchers have identified over 1,700 malicious packages published by North Korean threat actors across npm, PyPI, Go, Rust, and Packagist since January 2025. The campaign, attributed to the persistent operation tracked as Contagious Interview, represents a significant escalation in supply chain attacks targeting software developers.

The Hacker News reports that the packages impersonate legitimate developer tooling—particularly logging utilities—while functioning as malware loaders designed to deploy infostealers and remote access trojans.

Identified Malicious Packages

The campaign spans five major package ecosystems:

npm (6 packages):

• dev-log-core
• logger-base
• logkitx
• pino-debugger
• debug-fmt
• debug-glitz

PyPI (4 packages):

• logutilkit
• apachelicense
• fluxhttp
• license-utils-kit

Go (2 packages):

• github.com/golangorg/formstash
• github.com/aokisasakidev/mit-license-pkg

Rust (1 package):

• logtrace

Packagist/PHP (1 package):

• golangorg/logkit

The naming patterns reveal the strategy: packages like pino-debugger ride the popularity of legitimate tools (Pino is a widely-used Node.js logger), while names like golangorg/formstash impersonate official Go organization repositories.

How the Malware Works

Unlike typical supply chain attacks that trigger on installation, these packages activate their payloads within seemingly legitimate functions. For example, the Rust package embeds malicious code inside a Logger::trace(i32) method—a function developers would call during normal debugging.

This delayed execution makes static analysis harder. Package scanners looking for suspicious installation scripts won't flag code that only runs when specific functions are invoked.

The payloads function as loaders that fetch platform-specific second-stage malware with infostealer and RAT capabilities. The Windows variant includes shell command execution, keystroke logging, browser data theft, file uploading, and the ability to deploy AnyDesk for persistent remote access.

We've been tracking North Korean supply chain operations throughout 2026. The earlier Axios npm compromise demonstrated how social engineering package maintainers can achieve wider reach than publishing new packages. This 1,700-package campaign shows the group pursuing both strategies simultaneously.

Connection to UNC1069

Google's Threat Analysis Group attributes a related campaign to UNC1069, a North Korean actor that compromised the popular Axios npm package through social engineering.

Between February 6 and April 7, 2026, the Security Alliance (SEAL) blocked 164 domains registered by UNC1069 impersonating Microsoft Teams and Zoom. The attackers conduct multi-week, low-pressure social engineering campaigns across Telegram, LinkedIn, and Slack to build trust before delivering malicious payloads.

The Axios compromise delivered WAVESHAPER.V2, an implant with cross-platform support for Windows, macOS, and Linux. Post-compromise, attackers maintain a deliberate dormancy period—maximizing their operational window before defenders detect the intrusion.

For organizations concerned about developer security, we previously covered how Contagious Interview weaponizes fake job interviews to compromise developers at cryptocurrency and AI companies.

Detection and Remediation

Organizations should scan their codebases for the identified package names. However, given the campaign's scale, undiscovered packages almost certainly exist.

Immediate actions:

1. Audit dependencies across all projects for packages matching the identified names
2. Review recent additions to package manifests (package.json, requirements.txt, go.mod, Cargo.toml)
3. Check for AnyDesk installations on developer workstations—a common persistence mechanism
4. Monitor for unusual network traffic from development environments
5. Implement package provenance verification where available (npm provenance, Sigstore for Python)

For security teams:

The identified packages share infrastructure patterns that security vendors are incorporating into detection signatures. Update threat intelligence feeds and review any historical matches in network logs.

Why Developers Are Targeted

Developer machines represent high-value targets: they contain API tokens for cloud services, SSH keys, credentials for CI/CD pipelines, and access to source code repositories. A compromised developer can provide initial access to production environments without triggering perimeter defenses.

North Korea's operations increasingly focus on cryptocurrency—both through direct theft and by compromising developers at blockchain companies. The recent Drift Protocol hack demonstrates the financial stakes driving these campaigns.

The scale of this operation—1,700 packages across five ecosystems—indicates substantial resources dedicated to supply chain attacks. Developers should treat every new dependency with suspicion, particularly utilities with generic names or limited download counts.