Contagious Interview malicious npm package payload activity
Malware Activity
Summary
Hide ▲
Show ▼
The Contagious Interview operation has added 26 malicious npm packages, expanding a cross-platform supply-chain path that can hide C2 resolution, steal credentials, and drop a RAT. The packages use install.js and typosquatted dependency names to launch vendor/scrypt-js/version.js, which pulls hidden infrastructure from Pastebin and resolves Vercel-hosted payloads. One decoded domain, ext-checkdin.vercel[.]app, served a shell script that led to a trojan connecting to 103.106.67[.]63:1244/1247 for remote control, persistence, keylogging, browser theft, and secret exfiltration. The activity affects developer systems on Windows, macOS, and Linux.
Related Happenings
Ministry of Justice and Legal Affairs of Oman hit by network compromise
Incident
First: 06.05.2026 16:00
Last: 06.05.2026 16:00
Sources 1
About this happening:
The **Ministry of Justice and Legal Affairs of Oman** suffered an **active intrusion** that exposed **session logs** and **more than 26,000 user records**, raising risk to judicia...
Ministry of Justice and Legal Affairs of Oman hit by network compromise
IncidentAbout this happening: The **Ministry of Justice and Legal Affairs of Oman** suffered an **active intrusion** that exposed **session logs** and **more than 26,000 user records**, raising risk to judicia...
LofyGang Minecraft LofyStealer campaign
Campaign
First: 28.04.2026 20:39
Last: 28.04.2026 20:39
Sources 1
About this happening:
The **LofyGang** crew has re-emerged with a **Minecraft-player targeting** operation that uses **LofyStealer (GrabBot)**, increasing the risk of **credential and payment-data thef...
LofyGang Minecraft LofyStealer campaign
CampaignAbout this happening: The **LofyGang** crew has re-emerged with a **Minecraft-player targeting** operation that uses **LofyStealer (GrabBot)**, increasing the risk of **credential and payment-data thef...
Plain-crypto-js remote-access Trojan delivery
Malware Activity
First: 31.03.2026 23:55
Last: 31.03.2026 23:55
Sources 1
About this happening:
The malicious **plain-crypto-js** dependency delivered a **remote-access Trojan (RAT)** that can run on **Windows, Linux, and Mac**, extending the open-source supply-chain comprom...
Plain-crypto-js remote-access Trojan delivery
Malware ActivityAbout this happening: The malicious **plain-crypto-js** dependency delivered a **remote-access Trojan (RAT)** that can run on **Windows, Linux, and Mac**, extending the open-source supply-chain comprom...
Latest development: 04.04.2026 23:30
Google Threat Intelligence Group linked the Axios npm compromise to UNC1069, a financially motivated North Korea-nexus threat actor, based on the use of WAVESHAPER.V2 and overlaps with infrastructure artifacts used by UNC1069 in past activity. The Axios maintainers also wiped affected systems, reset all credentials, and are implementing changes to prevent similar incidents.
GlassWorm supply-chain malware wave across GitHub, npm, and VSCode/OpenVSX
Malware Activity
First: 17.03.2026 23:42
Last: 17.03.2026 23:42
Sources 1
About this happening:
**GlassWorm** returned in a **new coordinated supply-chain attack** that compromised **433 components** across **GitHub, npm, and VSCode/OpenVSX**, creating a broad software-distr...
GlassWorm supply-chain malware wave across GitHub, npm, and VSCode/OpenVSX
Malware ActivityAbout this happening: **GlassWorm** returned in a **new coordinated supply-chain attack** that compromised **433 components** across **GitHub, npm, and VSCode/OpenVSX**, creating a broad software-distr...
Latest development: 28.04.2026 00:41
GlassWorm returned in an OpenVSX supply-chain wave with 73 cloned sleeper extensions that were benign at upload and later turned malicious after an update, with six already activated to deliver malware. The extensions act as thin loaders that fetch payloads through GitHub-hosted secondary VSIX packages, platform-specific .node modules, or heavily obfuscated JavaScript, shifting the campaign toward submitting innocuous extensions first and introducing the malicious payload later.
Malicious Rust crates on crates.io exfiltrating .env secrets
Malware Activity
First: 11.03.2026 07:12
Last: 11.03.2026 07:12
Sources 1
About this happening:
The **five malicious Rust crates** on **crates.io** were published between **late February and early March 2026** and operated as a **supply-chain infostealer**. They masqueraded...
Malicious Rust crates on crates.io exfiltrating .env secrets
Malware ActivityAbout this happening: The **five malicious Rust crates** on **crates.io** were published between **late February and early March 2026** and operated as a **supply-chain infostealer**. They masqueraded...
Timeline
-
02.03.2026 10:44 2 articles · 2mo ago
Contagious Interview npm campaign disclosed
Initial DisclosureNorth Korean threat actors were disclosed as having published 26 malicious npm packages in the ongoing Contagious Interview campaign, using Pastebin steganography to recover Vercel-hosted C2 infrastructure and deliver a cross-platform RAT plus credential-stealing modules for Windows, macOS, and Linux.
Show sources
- North Korean Hackers Publish 26 npm Packages Hiding Pastebin C2 for Cross-Platform RAT — thehackernews.com — 02.03.2026 10:44
- North Korean Hackers Publish 26 npm Packages Hiding Pastebin C2 for Cross-Platform RAT — thehackernews.com — 02.03.2026 10:44