{"campaign":{"name":"Contagious Interview","slug":"contagious-interview","href":"/ti/campaigns/contagious-interview","description":"DPRK-linked (Famous Chollima) supply chain campaign targeting developers via npm, PyPI, and fake job interviews. MicrosoftSystem64 / js-logger-pack is attributed to this campaign cluster via the toskypi identity (tosky.pi1016@gmail.com), jpeek account rotation (jpeek868/886/895), and shared Lordplay/system-releases HuggingFace infrastructure. Overlapping sub-campaigns: Contagious Trader (crypto trading lures), BigSquatRat (typosquats).","objective":"Cryptocurrency theft, developer credential harvesting, persistent remote access to developer workstations","aliases":["Famous Chollima","Shifty Corsair","DEV#POPPER","CL-STA-0240"],"discovered_at":"2026-04-15"},"packages":[{"ecosystem":"npm","name":"js-logger-pack","href":"/ti/packages/npm/js-logger-pack","threat_types":["credential_stealer","crypto_drainer","data_exfiltration","persistence","c2_agent"],"versions":["0.0.1","1.0.0","1.1.0","1.1.2","1.1.4","1.1.5","1.1.6","1.1.7","1.1.8","1.1.9","1.1.10","1.1.14","1.1.17","1.1.18","1.1.19","1.1.20","1.1.21","1.1.22","1.1.23","1.1.24","1.1.25","1.1.26"]},{"ecosystem":"npm","name":"terminal-logger-utils","href":"/ti/packages/npm/terminal-logger-utils","threat_types":["credential_stealer","rat","c2_agent","data_exfiltration"],"versions":["1.0.0"]},{"ecosystem":"npm","name":"ts-logger-pack","href":"/ti/packages/npm/ts-logger-pack","threat_types":["credential_stealer","rat","c2_agent","data_exfiltration"],"versions":["1.0.0"]},{"ecosystem":"npm","name":"pretty-logger-utils","href":"/ti/packages/npm/pretty-logger-utils","threat_types":["credential_stealer","rat","c2_agent","data_exfiltration"],"versions":["1.0.0"]},{"ecosystem":"npm","name":"pinno-loggers","href":"/ti/packages/npm/pinno-loggers","threat_types":["credential_stealer","rat","c2_agent","data_exfiltration"],"versions":["1.0.0"]},{"ecosystem":"npm","name":"polymarket-validator","href":"/ti/packages/npm/polymarket-validator","threat_types":["credential_stealer","data_exfiltration"],"versions":["1.0.0"]},{"ecosystem":"npm","name":"changelog-logger-utilities","href":"/ti/packages/npm/changelog-logger-utilities","threat_types":["credential_stealer","data_exfiltration"],"versions":["1.0.0"]}],"indicators":[{"kind":"domain","value":"api-sub.jrodacooker.dev","href":"/ti/ioc/domain/api-sub.jrodacooker.dev","context":"Earlier C2 domain for js-logger-pack, DNS since removed"},{"kind":"domain","value":"huggingface.co","href":"/ti/ioc/domain/huggingface.co","context":"Network indicator from blog post"},{"kind":"ipv4","value":"195.201.194.107","href":"/ti/ioc/ipv4/195.201.194.107","context":"WebSocket + HTTP C2 server on port 8010. Hetzner, DE, AS24940. Secondary hostname: copilot-ai.whisdev.org."},{"kind":"sha256","value":"a49eee6b6db9da14db46587b68bf1d8a80976812f629bf3e100ac6ba83cf8490","href":"/ti/ioc/sha256/a49eee6b6db9da14db46587b68bf1d8a80976812f629bf3e100ac6ba83cf8490","context":"SHA-256 hash from blog post"},{"kind":"sha256","value":"6ce3b22b07fd5aef1dd77237334d80718601e4e02a706485572d3dda8993a4e3","href":"/ti/ioc/sha256/6ce3b22b07fd5aef1dd77237334d80718601e4e02a706485572d3dda8993a4e3","context":"SHA-256 hash from blog post"},{"kind":"sha256","value":"571533a643e67c38087f4da8cce0d3dc14670a52403717e4943433d392860a7f","href":"/ti/ioc/sha256/571533a643e67c38087f4da8cce0d3dc14670a52403717e4943433d392860a7f","context":"SHA-256 hash from blog post"},{"kind":"sha256","value":"585c5ab1fea06bed4956e34ffd6d6b576122addd34d252b163ae0801098e9eaf","href":"/ti/ioc/sha256/585c5ab1fea06bed4956e34ffd6d6b576122addd34d252b163ae0801098e9eaf","context":"SHA-256 hash from blog post"},{"kind":"sha256","value":"9f0a7174f9537bdbf63fe2329cea9a14198076180390af9f43a0e5b5c7c46912","href":"/ti/ioc/sha256/9f0a7174f9537bdbf63fe2329cea9a14198076180390af9f43a0e5b5c7c46912","context":"SHA-256 hash from blog post"},{"kind":"sha256","value":"e35801137cd09fa02aa996145d18ec68d67d71db9810f2608a6285ee1c08b054","href":"/ti/ioc/sha256/e35801137cd09fa02aa996145d18ec68d67d71db9810f2608a6285ee1c08b054","context":"SHA-256 hash from blog post"},{"kind":"sha256","value":"df45bbac7695f0edad3edde36904f2722f2af761887744a2f1d65df705d28dc6","href":"/ti/ioc/sha256/df45bbac7695f0edad3edde36904f2722f2af761887744a2f1d65df705d28dc6","context":"SHA-256 hash from blog post"},{"kind":"sha256","value":"43c93c609d48b6cb4f1275c285b5e6960ef74e7f5811b442e3c1038d49128d73","href":"/ti/ioc/sha256/43c93c609d48b6cb4f1275c285b5e6960ef74e7f5811b442e3c1038d49128d73","context":"SHA-256 hash from blog post"},{"kind":"domain","value":"copilot-ai.whisdev.org","href":"/ti/ioc/domain/copilot-ai.whisdev.org","context":"Secondary hostname on C2 IP 195.201.194.107. Linked to bink/ptc-bink/whisdev persona cluster (JFrog attribution)."},{"kind":"sha256","value":"b2954c945b51dbd6fa88ac72338b7fbf76dec7d9909ceada9d36b21330842c97","href":"/ti/ioc/sha256/b2954c945b51dbd6fa88ac72338b7fbf76dec7d9909ceada9d36b21330842c97","context":"MicrosoftSystem64 Linux ELF binary (81 MB Node.js SEA, v1.0.8)"},{"kind":"url","value":"https://huggingface.co/jpeek998/system-releases/resolve/main","href":"/ti/ioc/url/url-961b993523df","context":"Binary update URL for MicrosoftSystem64 self-update (24h interval)"},{"kind":"url","value":"https://huggingface.co/Lordplay/system-releases","href":"/ti/ioc/url/url-ad92b7bf2e37","context":"Original binary hosting repo on HuggingFace (disabled by HF, account Lordplay created 2025-11-24). Shared by jpeek868/886/895 cluster."},{"kind":"email","value":"jpeek868@gmail.com","href":"/ti/ioc/email/jpeek868@gmail.com","context":"npm publisher account jpeek868, author of js-logger-pack. Part of jpeek account rotation cluster (jpeek868/886/895). DPRK Famous Chollima."},{"kind":"file_path","value":"~/.local/share/MicrosoftSystem64","href":"/ti/ioc/file_path/file_path-52873c1fd43c","context":"Linux install directory for MicrosoftSystem64 binary and state files"},{"kind":"file_path","value":"~/.pcl-state/uploads.json","href":"/ti/ioc/file_path/file_path-1cd95f5e2f53","context":"Screenshot upload state tracker for HuggingFace exfiltration"},{"kind":"email","value":"tosky.pi1016@gmail.com","href":"/ti/ioc/email/tosky.pi1016@gmail.com","context":"npm account toskypi, linked to ~20 DPRK npm accounts per kmsec.uk. Published polymarket-validator, changelog-logger-utilities. Famous Chollima."},{"kind":"url","value":"https://huggingface.co/jpeek998/linux_doc_75a5ffec36ca","href":"/ti/ioc/url/url-6a9350e31e52","context":"Third victim dataset: 48 screenshot files, started 2026-05-28T06:10:24Z. Active compromise evidence."},{"kind":"domain","value":"sha256-validate-rpc.vercel.app","href":"/ti/ioc/domain/sha256-validate-rpc.vercel.app","context":"Contagious Trader exfil endpoint used by polymarket-validator (toskypi, Feb 2026)"},{"kind":"domain","value":"changelog.rest","href":"/ti/ioc/domain/changelog.rest","context":"Contagious Trader exfil endpoint used by changelog-logger-utilities (toskypi, Mar 2026)"}],"ttps":[{"name":"Supply Chain Compromise: Compromise Software Dependencies and Development Tools","mitre_attack_id":"T1195.001","href":"/ti/ttps/T1195.001"},{"name":"Command and Scripting Interpreter: JavaScript","mitre_attack_id":"T1059.007","href":"/ti/ttps/T1059.007"},{"name":"Unsecured Credentials: Credentials In Files","mitre_attack_id":"T1552.001","href":"/ti/ttps/T1552.001"},{"name":"Exfiltration Over C2 Channel","mitre_attack_id":"T1041","href":"/ti/ttps/T1041"},{"name":"Unsecured Credentials: Private Keys","mitre_attack_id":"T1552.004","href":"/ti/ttps/T1552.004"},{"name":"Steal Web Session Cookie","mitre_attack_id":"T1539","href":"/ti/ttps/T1539"},{"name":"Ingress Tool Transfer","mitre_attack_id":"T1105","href":"/ti/ttps/T1105"},{"name":"Application Layer Protocol: Web Protocols","mitre_attack_id":"T1071.001","href":"/ti/ttps/T1071.001"},{"name":"Web Service","mitre_attack_id":"T1102","href":"/ti/ttps/T1102"},{"name":"Event Triggered Execution","mitre_attack_id":"T1546","href":"/ti/ttps/T1546"},{"name":"Compromise Software Supply Chain","mitre_attack_id":"T1195.002","href":"/ti/ttps/T1195.002"},{"name":"Credentials from Password Stores: Web Browsers","mitre_attack_id":"T1555.003","href":"/ti/ttps/T1555.003"},{"name":"Input Capture: Keylogging","mitre_attack_id":"T1056.001","href":"/ti/ttps/T1056.001"},{"name":"Clipboard Data","mitre_attack_id":"T1115","href":"/ti/ttps/T1115"},{"name":"Screen Capture","mitre_attack_id":"T1113","href":"/ti/ttps/T1113"},{"name":"Exfiltration to Code Repository","mitre_attack_id":"T1567.001","href":"/ti/ttps/T1567.001"},{"name":"Scheduled Task/Job: Scheduled Task","mitre_attack_id":"T1053.005","href":"/ti/ttps/T1053.005"},{"name":"Create or Modify System Process: Launch Daemon","mitre_attack_id":"T1543.004","href":"/ti/ttps/T1543.004"},{"name":"Create or Modify System Process: Systemd Service","mitre_attack_id":"T1543.002","href":"/ti/ttps/T1543.002"},{"name":"Command and Scripting Interpreter: Unix Shell","mitre_attack_id":"T1059.004","href":"/ti/ttps/T1059.004"},{"name":"Node.js Single Executable Application Packaging","href":"/ti/ttps/node-js-single-executable-application-packaging"},{"name":"Obfuscated Files or Information: Encrypted/Encoded File","mitre_attack_id":"T1027.013","href":"/ti/ttps/T1027.013"},{"name":"Valid Accounts: Default Accounts","mitre_attack_id":"T1078.001","href":"/ti/ttps/T1078.001"}],"related_campaigns":[],"reports":[{"title":"Malicious npm Package js-logger-pack Ships a Multi-Platform WebSocket Stealer","url":"https://safedep.io/malicious-js-logger-pack-npm-stealer","published_at":"2026-04-15"},{"title":"MicrosoftSystem64: Anatomy of a Node.js SEA RAT Dropped by js-logger-pack","url":"https://safedep.io/microsoftsystem64-binary-payload-analysis","published_at":"2026-05-28"}]}