We have been tracking North Korea’s Contagious Interview operation since 2024 and maintain a dedicated campaign page that now tracks more than 1,700 malicious packages linked to the activity. In this newly identified cluster, the threat actors operated under GitHub aliases including golangorg and published malicious packages across five open source ecosystems. The threat actor’s packages were designed to impersonate legitimate developer tooling (such as debug, debug-logfmt, pino-debug, baraka, license, http, libprettylogger, and openlss/func-log), while quietly functioning as malware loaders, extending Contagious Interview’s established playbook into a coordinated cross-ecosystem supply chain operation.