387 reports
Socket uncovered 26 malicious npm packages tied to North Korea’s Contagious Interview activity and assessed the tradecraft as consistent with FAMOUS CHOLLIMA. The packages were typosquats of widely used developer libraries and executed install scripts tha…
SOCRadar profiles Andariel as a North Korea-linked threat group operating under the Reconnaissance General Bureau and widely assessed as a Lazarus sub-cluster. The group targets defense, aerospace, nuclear engineering, healthcare, financial, software, and…
ENKI attributes GitHub-hosted malware abusing Visual Studio Code automation features to the DPRK-nexus Contagious Interview campaign targeting developers. Actors posed as recruiters, Web3 developers, and fictitious companies, then embedded OS-specific dow…
ENKI found a Contagious Interview campaign using GitHub repositories and VSCode task automation to infect developers with Beavertail, InvisibleFerret, and OtterCookie-related tooling. The operators posed as recruiters, developers, and fictitious or lookal…
Zscaler ThreatLabz links the Ruby Jumper campaign to APT37, also tracked as ScarCruft, Ruby Sleet, and Velvet Chollima, and describes new tooling for surveillance and air-gapped environments. The infection begins with malicious LNK files that launch Power…
Cisco Talos reports an ongoing campaign by UAT-10027 that has delivered a previously undisclosed backdoor named Dohdoor since at least December 2025. The campaign targeted education and health care organizations, predominantly in the United States, throug…
FAMOUS CHOLLIMA published seventeen npm packages on 25-26 February 2026 that used Pastebin and custom text steganography as a dead-drop resolver. Each package ran an install script that loaded an obfuscated vendor/scrypt-js/version.js payload, fetched Pas…
Abstract Security tracks Contagious Interview infection chains that abuse VS Code and Cursor task auto-execution to run downloader commands when developer projects are opened. New variants stage scripts through GitHub Gists, short.gy URLs, Google Drive, V…
Kudelski Security examines the DPRK fake IT-worker fraud ecosystem as a blended operation involving North Korean workers, recruited helpers, fake identities, and supporting cybercrime services. The excerpt says workers approach developers in countries inc…
CrowdStrike's 2026 Global Threat Report highlights a sharp increase in North Korea-nexus activity during 2025, including a 130% rise in incidents, doubled FAMOUS CHOLLIMA activity, and faster operational tempo from STARDUST CHOLLIMA. The North Korea-relev…
Microsoft Defender Experts traced a developer-targeting campaign to malicious Next.js repositories seeded as legitimate projects, recruiting exercises, and technical assessments. The repositories used three execution paths that fit normal developer behavi…
Symantec and Carbon Black report that North Korean state-backed Lazarus activity is using Medusa ransomware, with evidence from an attack on a Middle East target and an unsuccessful intrusion against a U.S. healthcare organization. The activity fits a bro…
The post tracks FAMOUS CHOLLIMA operator infrastructure by using npm publish notification emails exposed through insecure temporary-mail providers. The author says DPRK-linked npm operators used disposable domains registered through services such as email…
FAMOUS CHOLLIMA used express-core-validator v1.0.1, published by npm user crisdev09 on 20 February 2026, to test Google Drive as a stager in its Contagious Interview npm activity. The package’s postinstall chain loaded core.js, retrieved a Google Drive fi…
Quetzal details POWerful Armadillo, a newly named DPRK macOS malware family delivered through compromised WhatsApp accounts posing as a WebEx installer. The infection chain begins with a DMG containing a Bash-based installer, then pulls obfuscated Bash, J…