Contagious Interview JSON storage delivery campaign targeting software developers
Campaign
Summary
Hide ▲
Show ▼
The Contagious Interview campaign has shifted to using JSON storage services to stage malware, making delivery harder to spot and increasing risk to developer systems. The operation reaches prospective software developers through professional networking sites and lures them into downloading trojanized demo projects. A deceptive config file can point to the next-stage payload, which then drops tools such as BeaverTail and InvisibleFerret. The activity matters because it is designed to steal sensitive data and crypto wallet information while blending into legitimate web traffic.
Related Happenings
TrapDoor cross-ecosystem supply-chain campaign
Campaign
First: 25.05.2026 08:59
Last: 25.05.2026 08:59
Sources 1
About this happening:
The **TrapDoor** supply-chain campaign has expanded across **npm, PyPI, and Crates.io**, using **34+ malicious packages** to steal developer secrets and credentials. The operation...
TrapDoor cross-ecosystem supply-chain campaign
CampaignAbout this happening: The **TrapDoor** supply-chain campaign has expanded across **npm, PyPI, and Crates.io**, using **34+ malicious packages** to steal developer secrets and credentials. The operation...
Gremlin stealer modular toolkit evolution
Malware Activity
First: 15.05.2026 17:19
Last: 15.05.2026 17:19
Sources 1
About this happening:
The **Gremlin stealer** malware has expanded into a **modular toolkit** with **session-hijacking** and **crypto clipping** capabilities, raising the risk of credential theft and a...
Gremlin stealer modular toolkit evolution
Malware ActivityAbout this happening: The **Gremlin stealer** malware has expanded into a **modular toolkit** with **session-hijacking** and **crypto clipping** capabilities, raising the risk of credential theft and a...
TeamPCP Mini Shai-Hulud npm supply-chain campaign
Campaign
First: 12.05.2026 14:07
Last: 12.05.2026 14:07
Sources 1
About this happening:
The **TeamPCP**-linked **Mini Shai-Hulud** campaign is a **malicious npm supply-chain operation** that steals developer credentials and abuses trusted publishing paths to spread t...
TeamPCP Mini Shai-Hulud npm supply-chain campaign
CampaignAbout this happening: The **TeamPCP**-linked **Mini Shai-Hulud** campaign is a **malicious npm supply-chain operation** that steals developer credentials and abuses trusted publishing paths to spread t...
Famous Chollima PromptMink supply-chain campaign targeting Web3 developers
Campaign
First: 29.04.2026 17:43
Last: 29.04.2026 17:43
Sources 1
About this happening:
The **PromptMink** campaign is widening **Famous Chollima**'s supply-chain intrusion playbook by pushing **tainted npm packages** into developer environments and stealing secrets....
Famous Chollima PromptMink supply-chain campaign targeting Web3 developers
CampaignAbout this happening: The **PromptMink** campaign is widening **Famous Chollima**'s supply-chain intrusion playbook by pushing **tainted npm packages** into developer environments and stealing secrets....
REF6598 Obsidian social-engineering campaign targeting finance and crypto users
Campaign
First: 16.04.2026 14:02
Last: 16.04.2026 14:02
Sources 1
About this happening:
The **REF6598** operation is using **LinkedIn**, **Telegram**, and **Obsidian** to deliver **PHANTOMPULSE**, creating a targeted intrusion path into **financial** and **cryptocurr...
REF6598 Obsidian social-engineering campaign targeting finance and crypto users
CampaignAbout this happening: The **REF6598** operation is using **LinkedIn**, **Telegram**, and **Obsidian** to deliver **PHANTOMPULSE**, creating a targeted intrusion path into **financial** and **cryptocurr...
Timeline
-
14.11.2025 20:25 3 articles · 6mo ago
Contagious Interview adds JSON storage staging for malware delivery
Technical Analysis UpdateNVISO describes North Korean threat actors behind Contagious Interview as using JSON Keeper, JSONsilo, and npoint.io to host and deliver malware from trojanized developer projects, with a Base64-encoded value in `server/config/.config.env` pointing to an obfuscated next-stage payload that leads to BeaverTail, InvisibleFerret, and TsunamiKit delivery against prospective software developers.
Show sources
- North Korean Hackers Turn JSON Services into Covert Malware Delivery Channels — thehackernews.com — 14.11.2025 20:25
- North Korean Hackers Turn JSON Services into Covert Malware Delivery Channels — thehackernews.com — 14.11.2025 20:25
- New BeaverTail Malware Variant Linked to Lazarus Group — www.infosecurity-magazine.com — 18.12.2025 14:00