Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

PurpleBravo Contagious Interview campaign

Campaign
First reported
Last updated
Happening score
H score 39
3 unique sources, 5 articles

Summary

Hide ▲

The North Korea-linked Contagious Interview campaign is refining its malware stack, with Cisco Talos reporting that BeaverTail and OtterCookie are being merged more closely and that OtterCookie v5 now adds keylogging and screenshotting. The same report says the campaign used EtherHiding to fetch payloads from BNB Smart Chain or Ethereum, and that a Sri Lanka-headquartered organization was infected after a fake job offer led a user to install a trojanized Node.js app called Chessfi.

Related Happenings

Shai-Hulud worm clone activity on NPM

Malware Activity
First: 18.05.2026 12:45 Last: 18.05.2026 12:45 Sources 1

About this happening: The **Shai-Hulud** malware activity has continued to evolve across the **npm supply chain** and related developer ecosystems. It first infected **npm packages** in **September 202...

Open Happening

Shai-Hulud supply-chain campaign spreading via stolen CI/CD credentials

Campaign
First: 12.05.2026 14:29 Last: 12.05.2026 14:29 Sources 1

About this happening: The **Shai-Hulud** **supply-chain campaign** remains active across **npm**, **PyPI**, and **Composer**, with the latest reporting tying **TeamPCP** to both a claimed **GitHub inte...

Open Happening

Mini Shai-Hulud npm supply-chain malware wave

Malware Activity
First: 12.05.2026 14:07 Last: 12.05.2026 14:07 Sources 1

About this happening: The **Sha1-Hulud** npm supply-chain campaign is a fresh **second wave** of **Shai-Hulud**-style activity that has compromised **hundreds of npm packages**. The malware runs during...

Open Happening

TeamPCP Mini Shai-Hulud npm supply-chain campaign

Campaign
First: 12.05.2026 14:07 Last: 12.05.2026 14:07 Sources 1

About this happening: The **TeamPCP**-linked **Mini Shai-Hulud** campaign is a **malicious npm supply-chain operation** that steals developer credentials and abuses trusted publishing paths to spread t...

Open Happening

TrickMo C TikTok-lure campaign targeting banking and wallet users in France, Italy, and Austria

Campaign
First: 11.05.2026 18:15 Last: 11.05.2026 18:15 Sources 1

About this happening: The **TrickMo** operators ran an active **TikTok-themed** campaign between **January and February 2026**, targeting **banking and wallet users** in **France, Italy and Austria**....

Open Happening

Timeline

  1. 22.04.2026 17:48 2 articles · 1mo ago

    Void Dokkaebi turns Contagious Interview into a self-propagating supply chain campaign

    Campaign Scope Update

    North Korean actor Void Dokkaebi, aka Famous Chollima, pushed the Contagious Interview fake-job campaign into a self-propagating software supply chain operation by abusing compromised developer repositories, malicious Visual Studio (VS) Code tasks, and injected code that can run during normal development activity to spread malware and steal cryptocurrency wallet credentials, signing keys, and access to CI/CD pipelines and production infrastructure. Trend Micro said the campaign also stages payloads on Tron, Aptos, and Binance Smart Chain, and in March it found more than 750 infected code repositories, more than 500 malicious VS Code task configurations, and 101 instances of the commit-tampering tool.

    Show sources
    Open in new tab
  2. 21.01.2026 19:17 2 articles · 4mo ago

    PurpleBravo disclosure of targeted interview campaign

    Initial Disclosure

    Recorded Future's Insikt Group disclosed new findings on PurpleBravo, a North Korean threat cluster also tracked as Contagious Interview, linking 3,136 IP addresses to likely targets and identifying 20 potential victim organizations across artificial intelligence (AI), cryptocurrency, financial services, IT services, marketing, and software development in Europe, South Asia, the Middle East, and Central America. The activity was assessed to have targeted IP addresses from August 2024 to September 2025 and used fake job offers, LinkedIn personas, malicious Microsoft Visual Studio Code (VS Code) projects, malicious GitHub repositories, BeaverTail, GolangGhost, and Astrill VPN-administered C2 infrastructure.

    Show sources
    Open in new tab
  3. 25.09.2025 16:14 2 articles · 8mo ago

    Contagious Interview deploys AkdoorTea against software developers

    Technical Analysis Update

    ESET said the North Korea-linked Contagious Interview campaign, also tracked as DeceptiveDevelopment, is targeting software developers across Windows, Linux and macOS, especially those working on cryptocurrency and Web3 projects, by using fake recruiter outreach on LinkedIn, Upwork, Freelancer and Crypto Jobs List and luring targets into video-assessment or coding workflows that deliver AkdoorTea, TsunamiKit, Tropidoor and other malware.

    Show sources
    Open in new tab