Contagious Interview cryptocurrency social-engineering and malware-delivery campaign
Campaign
Summary
Hide ▲
Show ▼
A North Korean cluster behind Contagious Interview / WaterPlum is running a coordinated malware campaign against cryptocurrency professionals, increasing the risk of credential theft and malicious code execution. The operation uses LinkedIn outreach, fake venture capital firms, and fraudulent video conferencing links to steer victims into the delivery chain. The targeting focus on founders, CTOs, and senior engineers suggests a deliberate effort to reach people with privileged access to crypto infrastructure and wallets. The activity overlaps with related clusters and continues to evolve across trusted hiring and developer workflows.
Related Happenings
TeamPCP uses Shai-Hulud release to build access-broker monetization pipeline
Threat Actor Meta
First: 18.05.2026 22:53
Last: 18.05.2026 22:53
Sources 1
About this happening:
**TeamPCP** is being framed as using the **Shai-Hulud** source-code release to drive an **access broker** business, turning worm distribution into a credential-monetization pipeli...
TeamPCP uses Shai-Hulud release to build access-broker monetization pipeline
Threat Actor MetaAbout this happening: **TeamPCP** is being framed as using the **Shai-Hulud** source-code release to drive an **access broker** business, turning worm distribution into a credential-monetization pipeli...
TeamPCP campaign expands across multiple victims
Campaign
First: 15.05.2026 13:54
Last: 15.05.2026 13:54
Sources 1
About this happening:
The **TeamPCP / Mini Shai-Hulud** supply-chain operation is actively compromising **hundreds of packages**, exposing **downstream developers** to **malware delivery** and **creden...
TeamPCP campaign expands across multiple victims
CampaignAbout this happening: The **TeamPCP / Mini Shai-Hulud** supply-chain operation is actively compromising **hundreds of packages**, exposing **downstream developers** to **malware delivery** and **creden...
Hugging Face shared-loader supply chain campaign
Campaign
First: 11.05.2026 10:05
Last: 11.05.2026 10:05
Sources 1
About this happening:
A **Hugging Face** repository cluster appears to be part of a **broader supply chain campaign** that used **shared loaders** to push a stealer through open-source model downloads....
Hugging Face shared-loader supply chain campaign
CampaignAbout this happening: A **Hugging Face** repository cluster appears to be part of a **broader supply chain campaign** that used **shared loaders** to push a stealer through open-source model downloads....
Vidar Stealer ClickFix campaign targeting multiple sectors
Campaign
First: 08.05.2026 14:00
Last: 08.05.2026 14:00
Sources 1
About this happening:
The **Vidar Stealer** campaign is using **ClickFix** social engineering and compromised **WordPress** sites to deliver password-stealing malware, widening risk for **infrastructur...
Vidar Stealer ClickFix campaign targeting multiple sectors
CampaignAbout this happening: The **Vidar Stealer** campaign is using **ClickFix** social engineering and compromised **WordPress** sites to deliver password-stealing malware, widening risk for **infrastructur...
PCPJack TeamPCP-targeting cloud credential theft campaign
Campaign
First: 08.05.2026 12:00
Last: 08.05.2026 12:00
Sources 1
About this happening:
A new **PCPJack** campaign is targeting **TeamPCP victims** by **worming across exposed cloud infrastructure**, creating a fresh risk of credential theft and unauthorized reuse of...
PCPJack TeamPCP-targeting cloud credential theft campaign
CampaignAbout this happening: A new **PCPJack** campaign is targeting **TeamPCP victims** by **worming across exposed cloud infrastructure**, creating a fresh risk of credential theft and unauthorized reuse of...
Timeline
-
23.03.2026 20:09 2 articles · 2mo ago
Contagious Interview expands developer and crypto targeting
Campaign Scope UpdateNorth Korean threat actors behind Contagious Interview / WaterPlum are using malicious Microsoft Visual Studio Code projects and `tasks.json` `runOn: folderOpen` to auto-execute StoatWaffle, a Node.js-based malware family that can install Node.js when missing and deliver both stealer and RAT modules. The same operator set is also targeting cryptocurrency and Web3 professionals through LinkedIn social engineering, fake venture capital firms, and fraudulent video conferencing links.
Show sources
- North Korean Hackers Abuse VS Code Auto-Run Tasks to Deploy StoatWaffle Malware — thehackernews.com — 23.03.2026 20:09
- UNC1069 Social Engineering of Axios Maintainer Led to npm Supply Chain Attack — thehackernews.com — 03.04.2026 14:04