New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
N. Korean Hackers Spread 1,700 Malicious Packages Across npm, PyPI, Go, Rust
The North Korea-linked persistent campaign known as Contagious Interview has spread its tentacles by publishing malicious packages targeting the Go, Rust, and PHP ecosystems.
"The threat actor's packages were designed to impersonate legitimate developer tooling [...], while quietly functioning as malware loaders, extending Contagious Interview’s established playbook into a coordinated cross-ecosystem supply chain operation," Socket security researcher Kirill Boychenko said in a Tuesday report.
The complete list of identified packages is as follows ....
https://thehackernews.com/2026/04/n-korean-hackers-spread-1700-malicious.html
Thanked by 1forest
Comments
I've been saying for years that Rust's "everything is a crate!" mentality is going to end up replacing memory safety risks with supply chain risks. Why should you have to pull in two dozen third party packages a trivial utility?
It's a cargo cult.
Looks like some Go packages are affected too. PHP, Python, Rust, Node.js, Go, Linux distros (remember XZ utils?), anything that uses packages can be targeted these days. It's wild but sadly not surprising anymore, North Korea have really upped their game in the last decade and, honestly, I would congratulate them for finding their way into everything they want (cryptocurrency, FOSS, who knows what other critical pieces of infrastructure) if we weren't talking about a horrible dictatorship that has no regard for the lives of its civilians.
The real question is how are package repositories going to respond to that threat, if at all.
this is really freaking me out especially on my local linux machine. how the heck am i supposed to guard against this? we were always taught that we didn't need antivir. I have clamAV but I don't know if it mitigates against this stuff at all and I never had it set up other than to just run a full scan every once in a while or scan exes if I'm doing something in wine
No, ClamAV won't guard against this. No AV will.
I know there was some sort of push at least on aur to have some sort of local AI scanning updates for suspicious stuff, I'm hoping we see more of that in the future that automatically flags stuff like this. These package managers really need to get their shit together. it's no longer the old days where there are no viruses on linux
It's trivial to create a malicious package that will get around AI. The only solution is proper threat modeling. Minimize your TCB.
Why are all these North Korean threat actors such bad dudes? Feels like they're just out to ruin the whole open-source scene.
They're under sanctions so most of their actions involve cryptocurrency theft. They don't have anything against FOSS.
Write your own code instead of third party. Or include safe copies instead of using stuff not reviewed and not checked into your own repo.
rust is not rubben approved, dont use it
If it runs, don't update it.
It's a tradeoff. By using a stable 3rd party repo (e.g. Debian's repository) or simply not updating, you decrease the likelihood that a (relatively unsophisticated) supply chain compromise trickles down to you. On the other hand, doing so means you're willingly keeping software with known memory corruption bugs that could, with some effort, be used for exploitation.
It's not like every little "potentially exploitable, but we don't know how to reach it and/or it's too limited a primitive on its own to do much damage" bug results in a CVE and emergency upgrades. Over time, these "potentially exploitable" bugs build up until there are enough of them to chain together a working exploit. This is why Firefox ESR and "stable" kernels have such a bad security track record. By intentionally not upgrading other packages, you're putting them in the same position, even if you're reducing your direct exposure to supply chain compromises.
Running a bleeding-edge source-based distro like Gentoo is the other end of the spectrum. You'll get an update almost immediately after each new upstream tag release so if there is a supply chain compromise, you'll be among the first to succumb to it. But on the other hand, you'll never have to wait months or even years between major upgrades, so the code you run will never be collecting thousands of low-to-medium severity bugs.
Ouch, oww, yikes, eek
Any of those will make a good response.
Exactly, don't join a cargo cult of any kind.
And beware of strangers bearing gifts.