DPRK's Contagious Interview Is Actively Targeting Solana Devs: Here's How to Detect and Survive It

DPRK's Contagious Interview Is Actively Targeting Solana Devs: Here's How to Detect and Survive It

SolGuard Security

If you've been in the Solana developer ecosystem for the last year, you've probably noticed something: crypto developer job offers on LinkedIn, Telegram, and Discord have gotten a lot more interesting — and a lot more suspicious.

This is not a coincidence. North Korea's Lazarus Group has been running what threat researchers call "Contagious Interview" since at least 2023. After stealing $300M+ in Q1 2026 alone, they haven't slowed down.

Here's exactly what the attack looks like, how to detect if you've been hit, and what to do about it.

What Is Contagious Interview?

Contagious Interview is a social engineering campaign targeting individual cryptocurrency developers. The attacker poses as a recruiter for a legitimate-seeming company — often a DeFi protocol, a crypto exchange, or a Web3 startup.

The flow is:

  1. You get a DM or email from a recruiter on LinkedIn, Telegram, or Discord.
  2. They describe a compelling role — usually senior engineer or lead developer at a well-known or fake-but-plausible project.
  3. They ask you to complete a technical assessment — often a GitHub repo or zip file you clone locally.
  4. The "coding challenge" requires you to install npm packages or run a setup script.
  5. The malware installs silently — typically a node-based backdoor that exfiltrates SSH keys, browser cookies, wallet seeds, API keys, and sets up persistent access.

Why Developers Are the Target

Protocol developers have access to deployment keys, upgrade authorities, and multisig credentials. The Drift Protocol hack ($285M, April 1 2026) was traced to DPRK — and the entry vector involved compromising someone with administrative access.

Even if you don't have admin access, your machine is valuable: your git credentials, AWS keys, npm tokens, and Solana keypairs are all useful to attackers.

IOCs: What to Look For

If you ran a suspicious npm package or coding challenge in the last 6 months, check for these signs:

1. Persistent Processes

# macOS / Linux
ps aux | grep -E 'node|python' | grep -v grep
launchctl list | grep -v Apple
systemctl list-units --type=service | grep -v '[A-Z]'

Look for node or python processes running from unusual directories — /tmp/, ~/.npm/, ~/Downloads/, or any path you don't recognize.

2. Unauthorized SSH Keys

cat ~/.ssh/authorized_keys
cat ~/.ssh/known_hosts | tail -20
ls -la ~/.ssh/

Any keys you don't recognize in authorized_keys mean someone can SSH into your machine without a password.

3. Solana Keypair Exposure

# Check if your keypair has been read recently
ls -la ~/.config/solana/
stat ~/.config/solana/id.json

If your id.json modification time has changed, or if you see unusual access times, your keypair may have been exfiltrated.

4. Outbound Network Connections

# Check for persistent outbound connections
netstat -an | grep ESTABLISHED | grep -v '127.0.0.1'

Look for connections to unfamiliar IPs, especially on non-standard ports (not 80/443/22). GlassWorm, one of the active DPRK malware families, uses Solana blockchain accounts as dead drops to receive C2 instructions — so traffic goes to standard RPC endpoints, making it hard to detect with port filtering.

5. npm Package Audit

# Full audit of installed packages
npm audit
cat package-lock.json | grep -A2 '"resolved"' | grep -v '\-\-' | grep resolved

GlassWorm has been found in packages with names like: solana-web3-utils, @solana/web3-utils, solana-tx-helper, crypto-wallet-connector. Over 400 npm packages have been compromised.

What to Do If You Think You've Been Compromised

  1. Immediately rotate your Solana keypair. Generate a new id.json and update any program authorities.
  2. Revoke all SSH keys and regenerate them.
  3. Rotate all API keys (AWS, npm tokens, GitHub PATs, cloud providers).
  4. Wipe and reinstall your OS if possible — backdoors can persist through reboots.
  5. Check your wallets for unauthorized transactions using a scanner like SolGuard.
  6. Report to your protocol security team immediately — the attacker may have lateral access.

Prevention Checklist

  • Never run npm install from a coding challenge repo without auditing every package.
  • Use a separate air-gapped machine for wallet signing and protocol admin keys.
  • Keep deployment keypairs on hardware wallets (Ledger), not id.json.
  • Verify recruiter identity independently — call the company directly, not via contact info in the message.
  • Use the free GlassWorm scanner: curl -s https://solguard-security-monitor.surge.sh/scan.js | node - <wallet-address>

Automated Monitoring

Even if your environment is clean today, DPRK operations are continuous. @SolGuard_Bot on Telegram provides automated monitoring for:

  • Durable nonce accounts associated with your wallet
  • GlassWorm C2 blockchain dead drops
  • Unusual transaction velocity and program upgrade alerts
  • Interaction with known malicious program addresses

Free scanner: https://solguard-security-monitor.surge.sh | Telegram monitoring: @SolGuard_Bot

Report content on this page

Report Page

Please submit your DMCA takedown request to dmca@telegram.org