North Korean Hackers Exploit Open Source Developers via Supply Chain Attacks
North Korean threat actors have launched a supply chain attack campaign targeting open source software developers, deploying a backdoor and an information stealer to compromise development environments.
Overview of the Attack
The operation, attributed to a group linked to the Contagious Interview initiative, involves injecting malicious code into open source repositories across multiple package ecosystems. The campaign, active since December 2025, utilizes compromised GitHub accounts to distribute tainted code through JavaScript loaders that establish connections to blockchain and public remote procedure call (RPC) infrastructure for payload delivery.
Technical Details and Malicious Payloads
The malicious payloads include the DEV#POPPER remote access trojan (RAT) and the OmniStealer information stealer, which are embedded in compromised repositories. Attackers manipulate Git history to make malicious modifications appear older, evading detection. Over 162 malicious release artifacts have been identified across 108 distinct packages, with additional threats expected as the campaign evolves.
Scope and Affected Ecosystems
The compromised repositories target NPM, Packagist, Go modules, and Chrome extensions, indicating a broad scope. A specific incident involved the Xpos587 GitHub account, where repositories were altered on June 23, 2026, with malicious code injected into configuration files. The campaign later expanded to Packagist, affecting packages under the sevenspan namespace.
Attack Techniques and Evasion Methods
The attackers concealed malicious loaders within non-obvious files, bypassing initial cleanup efforts. Security researchers advise that any installation of affected packages or extensions should be treated as potentially compromised, with remediation requiring analysis from a clean machine to prevent further exposure of credentials and sensitive data.
Broader Implications and Recommendations
The attack leverages compromised maintainer accounts to tamper with legitimate projects, exploiting trust in open source ecosystems. The use of obfuscated JavaScript loaders highlights the sophistication of the campaign, which relies on decentralized infrastructure to avoid traditional detection methods. The Contagious Interview operation, which includes tactics seen in prior campaigns like DeceptiveDevelopment and ClickFake Interview, demonstrates a coordinated effort to infiltrate developer workflows.
Organizations are urged to review their software supply chains for signs of compromise, particularly those using affected package registries. The campaign underscores the growing risk of supply chain attacks targeting open source infrastructure, which serves as a critical component of modern software development. Security teams must implement rigorous verification processes for third-party dependencies and monitor for unusual activity in repository histories.
Security researchers advise that any installation of affected packages or extensions should be treated as potentially compromised, with remediation requiring analysis from a clean machine to prevent further exposure of credentials and sensitive data.
