DPRK Contagious Interview campaign expands across 5 ecosystems
Socket disclosed a fresh wave of DPRK Contagious Interview / FAMOUS CHOLLIMA packages spanning npm, PyPI, Go modules, crates.io, and Packagist. They impersonate logging / license developer tooling and act as staged loaders for credential stealers and RATs across Windows, macOS and Linux. The Windows variant deploys a keylogger and AnyDesk for hands-on access.
- Threat actor
- Famous Chollima (DPRK)
- Detected by
- Socket
- Also known as
- Contagious Interview · CL-STA-0240
- Ecosystems
- crates.ioGonpmPackagistPyPI
- Packages tracked
- 14
What happened
Socket disclosed a fresh wave of the DPRK Contagious Interview campaign on 7 April 2026, spanning five package ecosystems simultaneously: npm, PyPI, Go modules, crates.io and Packagist. Socket's tracker now attributes more than 1,700 malicious packages to the cluster since 2024, including a prior wave of 338 npm packages.
The packages impersonate logging utilities, debug helpers and licence-management tooling — categories developers grab without scrutiny. They act as staged loaders for credential stealers and remote-access trojans across Windows, macOS and Linux. The Windows variant additionally deploys a keylogger and installs AnyDesk for hands-on-keyboard access.
Threat-actor personas behind the publishers include golangorg, aokisasakidev / aokisasakidev1, and maxcointech1010 / maxcointech0000, with registration emails like aokisasaki1122@gmail.com and shiningup1996@gmail.com. Distribution still relies on fake job lures: contractors and developers in crypto, blockchain and AI are messaged with "interview task" repositories that pull these packages as dependencies.
Key IOCs:
- C2 / delivery:
apachelicense.vercel.app,ngrok-free.vercel.app,logkit.onrender.com,logkit-tau.vercel.app,66.45.225.94. - Stage-2 hashes — Linux
9a541dffb7fc18dc71dbc8523ec6c3a71c224ffeb518ae3a8d7d16377aebee58, macOSbb2a89001410fa5a11dea6477d4f5573130261badc67fe952cfad1174c2f0edd, Windows7c5adef4b5aee7a4aa6e795a86f8b7d601618c3bc003f1326ca57d03ec7d6524.
Attribution to Famous Chollima (overlapping with the broader Lazarus umbrella) is consistent across Socket, Microsoft, Mandiant and Crowdstrike reporting.
Affected packages (14)
- PyPI
apachelicense0.1a1 - npm
debug-fmt - npm
debug-glitz - npm
dev-log-core1.0.5 - PyPI
fluxhttp - Go
github.com/aokisasakidev/mit-license-pkg1.0.2 - Go
github.com/golangorg/formstash1.0.5 - Packagist
golangorg/logkit - PyPI
license-utils-kit0.1rc3 - npm
logger-base - npm
logkitx - crates.io
logtrace1.0.2 - PyPI
logutilkit - npm
pino-debugger
Impact
- Cross-ecosystem coverage means one campaign can hit nearly any developer stack
- Windows variant deploys keylogger and AnyDesk for hands-on access
- Targets crypto, blockchain and AI developers via fake job lures
What to do
- 1Block listed C2s (apachelicense.vercel.app, logkit.onrender.com, logkit-tau.vercel.app, 66.45.225.94)
- 2Remove any of the named packages and rotate credentials
- 3Treat unsolicited contractor / interview-task repos as malware delivery