Inside the GitHub Infrastructure Powering North Korea’s Contagious Interview npm Attacks

The Socket Threat Research Team has been following North Korea’s Contagious Interview operation as it targets blockchain and Web3 developers through fake job interviews. The campaign has added at least 197 malicious npm packages and over 31,000 downloads since last report, showcasing the adaptability of North Korean threat actors to modern JavaScript and crypto development workflows. The recent wave of malicious npm packages exposes a delivery stack that leverages GitHub for hosting malware-serving code, Vercel for payload delivery, and a separate command and control (C2) server for data collection and tasking, highlighting how threat actors are exploiting npm to target developers.