Contagious Interview: text steganography, typosquating and a RAT that steals credentials through npm

Cybersecurity researchers have identified a new wave within the campaign known as Contagious Interview, in which North Korean actors have placed dozens of malicious packages in the npm record posing as useful tools for developers. The strategy combines typosquatting, automatic execution during installation and an ofuscation layer based on text steganography hosted in public services, which makes it difficult for both automatic detection and manual review by maintainers and users.

The finding was documented by Socket's team and researcher Kieran Miyamoto in kmsec.uk. You can read Socket's technical report here: socket.dev - StegaBin and the additional research in kmsec.uk here: kmsec.uk - DPRK text steganography. Both analyses show a repeated pattern: packages that appear to be legitimate bookstores and that declare dependencies with the right names to give a false sense of confidence.

The identified packages included an installation file that runs automatically when the package is installed in a development environment. This installer, in turn, loads a malicious embedded component that acts as decoder: it contacts public pastures in services such as Pastebin, process the apparent content - innocent computer essays - and reconstruct from there the direction of the command and control infrastructure (C2). The technique uses substitutions in characters and non-visible markers to hide addresses within the text, a form of textual steganography that goes unnoticed for most automatic scanners and surface reviews.

Once the C2 addresses are recovered, the attack chain continues to contact an infrastructure hosted in multiple deployments of the Vercel platform. Socket documented that operators used several instances in Vercel to distribute next-stage loads, adding redundancy and avoidance capacity. You can check Vercel's documentation as a reference for deployments and hosting here: vercel.com / docs.

The final artifacts downloaded by the malicious chain include a remote access trojan (RAT) and several utilities specifically aimed at capturing secrets and developer credentials: persistence within Visual Studio Code through a malicious tasks.json file that is activated by opening projects, keylogging and clipboard capture, browser credentials theft and cryptomoneda extensions, scanning of repositories with legitimate tools to extract secrets, and exfiltration of SSH keys and relevant files from the development environment. Among these tools, attackers even download the legitimate TruffleHog utility from their official repository to speed up the search for secrets; the project page is available in GitHub: trufflesecurity / trufflehog.

According to the analysis, the RAT establishes outgoing connections to specific IP addresses and ports to receive orders and project real-time control over the compromised equipment. From there you can run commands, move through the file system and plant additional modules for persistence and exfiltration. The result is a suite focused on extracting intelligence and credentials that are especially valuable in a professional context of software development where secrets and access to repositories often allow easy pivots to larger infrastructure.

The combined use of typosquatting (package names that mimic known bookstores), scripts that run when installing and reliable signalling through valid dependencies is a recipe designed to convince unanticipated developers. For this reason, reports recommend extreme precautions by incorporating new packages, reviewing the content of the scripts install and preferring dependencies with verified history and maintenance. The npm platform itself offers package security guides that can be found in its documentation: docs.npmjs.com - Security.

In addition to Pastebin's technique, researchers have observed parallel attempts where operators used other public services, such as Google Drive, to accommodate next-stage loads, which highlights the versatility and testing of multiple delivery vectors by the actor. An analysis of the use of Google Drive in these chains is available on the kmsec blog: kmsec.uk - DPRK GDrive manager.

What can teams and developers do to reduce risk? Without entering into technical instructions that facilitate abuse, good practices pass through auditing units, applying automatic controls that detect installation scripts, using isolated testing environments, activating policies to block the execution of unknown code and reviewing any changes in the configuration of IDEs and editors - for example, if tasks or extensions are found in Visual Studio Code. It is also recommended to enable the verification of packages and signatures when the ecosystem allows.

This campaign shows a worrying trend: the attackers are increasingly targeting technical victims, taking advantage of the complexity of the development workflow and confidence in third-party packages. Continuous protection and surveillance, along with a culture of security in development teams, are the best defenses against these sophisticated threats. To understand the scope and methodology in more detail, review the full reports of the entities that followed the campaign: the Socket analysis and the kmsec.uk notes listed above.