Socket identifies a new cluster in North Korea’s Contagious Interview operation that published malicious packages across npm, PyPI, Go Modules, crates.io, and Packagist. The packages impersonated developer tools while hiding loaders inside ordinary-looking logging, license, tracing, multipart parsing, and helper functions rather than relying mainly on install-time execution. Shared staging behavior included contacting attacker-controlled infrastructure such as apachelicense[.]vercel[.]app, ngrok-free[.]vercel[.]app, logkit.onrender[.]com, logkit-tau[.]vercel[.]app, 66[.]45[.]225[.]94, and Google Drive delivery links to fetch ZIP archives or remotely supplied code. The payloads targeted developer environments for credential, browser, password-manager, and cryptocurrency wallet theft, with license-utils-kit adding Windows post-compromise functions including shell execution, keylogging, AnyDesk deployment, sensitive-file collection, encrypted archiving, and additional module execution.