Find notable cyber news and cases, enriched with sources, timelines, and signals.

Contagious Interview malicious npm package payload activity

Malware Activity
First reported
Last updated
Happening score
H score 30
1 unique sources, 1 articles

Summary

Hide ▲

The Contagious Interview operation has added 26 malicious npm packages, expanding a cross-platform supply-chain path that can hide C2 resolution, steal credentials, and drop a RAT. The packages use install.js and typosquatted dependency names to launch vendor/scrypt-js/version.js, which pulls hidden infrastructure from Pastebin and resolves Vercel-hosted payloads. One decoded domain, ext-checkdin.vercel[.]app, served a shell script that led to a trojan connecting to 103.106.67[.]63:1244/1247 for remote control, persistence, keylogging, browser theft, and secret exfiltration. The activity affects developer systems on Windows, macOS, and Linux.

Related Happenings

Mastra @mastra/* npm packages hit by network compromise

Incident
H score47 First: 17.06.2026 10:38 Last: 17.06.2026 10:38 Sources 1

About this happening: **Mastra** @mastra/* npm packages were **compromised** in a **software supply chain attack** that spread through the namespace on **2026-06-17**. Microsoft now attributes the acti...

Latest development: 20.06.2026 17:09

Microsoft attributed the Mastra AI supply chain attack to Sapphire Sleet, also known as BlueNoroff, and said the attackers compromised the npm maintainer account ehindero, which had publishing privileges across the Mastra package environment. The June 19 update said more than 140 packages in the @mastra scope were modified to inject easy-day-js.

UNK_DeadDrop developer phishing campaign using fake job and code-review lures

Campaign
H score30 First: 08.06.2026 18:00 Last: 08.06.2026 18:00 Sources 1

About this happening: A **UNK_DeadDrop** phishing campaign sent **more than 250 emails** to software developers at **almost 100 organizations**, using fake job and code-review lures to steal **cryptocu...

Ministry of Justice and Legal Affairs of Oman hit by network compromise

Incident
H score37 First: 06.05.2026 16:00 Last: 06.05.2026 16:00 Sources 1

About this happening: The **Ministry of Justice and Legal Affairs of Oman** suffered an **active intrusion** that exposed **session logs** and **more than 26,000 user records**, raising risk to judicia...

LofyGang Minecraft LofyStealer campaign

Campaign
H score38 First: 28.04.2026 20:39 Last: 28.04.2026 20:39 Sources 1

About this happening: The **LofyGang** crew has re-emerged with a **Minecraft-player targeting** operation that uses **LofyStealer (GrabBot)**, increasing the risk of **credential and payment-data thef...

Plain-crypto-js remote-access Trojan delivery

Malware Activity
H score30 First: 31.03.2026 23:55 Last: 31.03.2026 23:55 Sources 1

About this happening: The malicious **plain-crypto-js** dependency delivered a **remote-access Trojan (RAT)** that can run on **Windows, Linux, and Mac**, extending the open-source supply-chain comprom...

Latest development: 04.04.2026 23:30

Google Threat Intelligence Group linked the Axios npm compromise to UNC1069, a financially motivated North Korea-nexus threat actor, based on the use of WAVESHAPER.V2 and overlaps with infrastructure artifacts used by UNC1069 in past activity. The Axios maintainers also wiped affected systems, reset all credentials, and are implementing changes to prevent similar incidents.

Timeline

  1. 02.03.2026 10:44 2 articles · 4mo ago

    Contagious Interview npm campaign disclosed

    Initial Disclosure

    North Korean threat actors were disclosed as having published 26 malicious npm packages in the ongoing Contagious Interview campaign, using Pastebin steganography to recover Vercel-hosted C2 infrastructure and deliver a cross-platform RAT plus credential-stealing modules for Windows, macOS, and Linux.

    Show sources