Hunting the Contagious Trader Delivery Network
Recon Village @ DEF CON 34 • August 6-9, 2026
Abstract
North Korean threat actors are running one of the largest software supply chain campaigns ever observed in the npm ecosystem, and the infrastructure hiding it in plain sight is discoverable through open-source reconnaissance alone.
This workshop walks participants through how we mapped a live DPRK delivery network targeting cryptocurrency developers, starting from a single malicious npm package and expanding outward to uncover 50+ malicious packages, 100+ GitHub repositories, 30+ throwaway npm personas, 20+ rotating C2 domains, and a social media promotion layer spanning X and Reddit.
The investigation surfaces three malware families: PromptMink, ClipViper, and OtterCookie, which operate through what initially appeared to be separate campaigns but share overlapping infrastructure, actors, and delivery techniques.
The workshop focuses on the recon methodology behind the mapping through six hands-on modules:
- Dependency chain tracing: How malicious payloads hide one to three hops deep in transitive npm dependencies, evading surface-level code review and automated scanners
- Actor network pivoting: Using email patterns, SSH key reuse, shared C2 infrastructure, and build artifact fingerprints to link 30+ throwaway npm accounts into operational clusters
- Identity spoofing detection: How to catch developer identity theft through timezone offset analysis
- GitHub delivery front reconnaissance: Tracing 40+ fork chains across front organizations all serving identical malicious payloads behind bot-inflated star counts and SEO-stuffed descriptions
- Social media promotion mapping: Connecting verified X accounts and Reddit personas to the distribution layer, and observing how the social infrastructure persists even after GitHub takedowns
- Evasion tracking in real time: Documenting the operators' shift from obfuscated JavaScript to on-chain payload storage via Solana, where the npm package contains zero malicious code and the payload lives in a blockchain account beyond the reach of static analysis
Participants work directly with actionable IoCs (packages, C2 domains, SSH keys, YARA rules, detection queries) and leave with a breakdown of how current Contagious Interview and Contagious Trader toolsets are converging into a unified threat.
Attendees will leave with a repeatable framework for mapping supply chain malware delivery networks using open-source data: package registries, Git metadata, DNS records, social media artifacts, and cross-referencing with community threat feeds.
Prerequisites
- A laptop with a terminal and a web browser
- An isolated sandbox or VM
- Tools: grep, awk, sort, uniq, diff, tar, unzip, shasum, git, jq
Speakers
Senior Threat Researcher @ PantherLabs
Senior Threat Researcher at PantherLabs, researching cloud and supply chain threats. Previously Threat Detection Engineer at Sysdig, focusing on Linux and container security, where she investigated nation-state malware and botnets. Former threat intelligence consultant for European financial institutions, investigating APTs targeting the financial sector. Current research focuses on supply chain and LLM security. MSc in Advanced Cybersecurity, King's College London.
View full speaker profile →Principal Threat Researcher at Databricks
Ariel Ropek has over a decade of experience building detection engineering and threat intelligence teams. His experience spans internal security, managed security, and security product organizations, which has exposed him to a broad variety of networks to protect and adversaries to defend against. Ariel builds tools for his teams to enhance their capabilities, most recently a distributed agentic malware scanner for the npm supply chain. When he's not hunting cyber threats he enjoys playing piano and building legos with his son.
View full speaker profile →
