{
	"id": "a3da1f49-082b-4a3f-b1bb-84be55f14b12",
	"created_at": "2026-04-06T00:10:12.255258Z",
	"updated_at": "2026-04-10T03:28:28.713988Z",
	"deleted_at": null,
	"sha1_hash": "4c66e210923784ee95abd19ff9a748ee6d7e496d",
	"title": "North Korea’s Contagious Interview Campaign Escalates: 338 M...",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 5401207,
	"plain_text": "North Korea’s Contagious Interview Campaign Escalates: 338 M...\r\nArchived: 2026-04-05 23:39:55 UTC\r\nSecure your dependencies with us\r\nSocket proactively blocks malicious open source packages in your code.\r\nInstall\r\nThe Contagious Interview operation continues to weaponize the npm registry with a repeatable playbook. Since\r\nour July 14, 2025 update, we have identified and analyzed more than 338 malicious packages with over 50,000\r\ncumulative downloads.\r\n25 of these packages remain live on the npm registry at the time of writing. We have submitted takedown requests\r\nto the npm security team and petitioned for suspension of the associated publisher accounts.\r\nhttps://socket.dev/blog/north-korea-contagious-interview-campaign-338-malicious-npm-packages\r\nPage 1 of 30\n\nIn this latest wave, North Korean threat actors used more than 180 fake personas tied to new npm aliases and\r\nregistration emails, and ran over a dozen command and control (C2) endpoints (see IOCs). Their tooling has\r\nevolved from direct BeaverTail malware droppers to HexEval, XORIndex, and encrypted loaders. Each executes\r\nat install or import, reconstructs obfuscated BeaverTail in memory, then typically fetches the InvisibleFerret\r\nbackdoor for persistence. New malicious packages appear weekly, including this week.\r\nThe pattern is wave-based and iterative. The threat actors ship typosquatted packages, tweak the loader code, and\r\nscale distribution across new aliases.\r\nTargets include Web3, cryptocurrency, and blockchain developers, as well as technical job seekers approached\r\nwith recruiting lures, leading to multi-stage compromise and financial loss.\r\nhttps://socket.dev/blog/north-korea-contagious-interview-campaign-338-malicious-npm-packages\r\nPage 2 of 30\n\nLockheed Martin Cyber Kill Chain framework mapped to the current Contagious Interview\r\ncampaign. Reconnaissance on LinkedIn, weaponization with published malicious packages,\r\ndelivery via recruiter lures, exploitation by malware loaders that execute in memory, installation of\r\nBeaverTail and the InvisibleFerret backdoor, C2 over web protocols, then actions on objectives that\r\nestablish initial access, and steal sensitive credentials and wallet keys.\r\nStage 1: Reconnaissance#\r\nThe campaign opens with focused reconnaissance. Threat actors approach targets on social media, most often\r\nLinkedIn, posing as recruiters or hiring managers. They screen for technical fit and financial upside, prioritizing\r\nhttps://socket.dev/blog/north-korea-contagious-interview-campaign-338-malicious-npm-packages\r\nPage 3 of 30\n\ncryptocurrency and blockchain developers, Web3 engineers, and technical job seekers. The objective is to\r\ncompromise machines that are likely to hold credentials, private keys, tokens, and other monetizable secrets.\r\nA recent victim account on LinkedIn illustrates this stage. A software engineer received a “job opportunity”\r\nmessage, was given a repository for a quick assignment, and found an innocuous dependency named eslint-detector that contained an encrypted, obfuscated payload. The lure targeted a Web3 and crypto profile, relied on\r\nroutine dependency installation, and used a polished company persona. What looked like a part of the recruitment\r\nassignment was a staged malware delivery.\r\nLinkedIn victim report of a job-offer lure that delivered a malicious npm package, eslint-detector,\r\nwhich silently fetched an encrypted payload, illustrating Contagious Interview reconnaissance and\r\nsupply chain delivery tactics.\r\nhttps://socket.dev/blog/north-korea-contagious-interview-campaign-338-malicious-npm-packages\r\nPage 4 of 30\n\nSocket AI Scanner’s analysis of the malicious eslint-detector package highlights install-time\r\nexecution of a multi-stage infostealer/loader, theft of browser credentials and crypto-wallet data,\r\nmacOS Keychain access, clipboard monitoring and Windows keylogging with screen capture,\r\nremote command execution, BeaverTail download with Python-based persistence (i.e.\r\nInvisibleFerret staging), and HTTP exfiltration to hardcoded C2 endpoints.\r\nStage 2: Weaponization#\r\nWe continue to see weekly upload bursts, rapid re-uploads after takedowns, and iterative changes to loaders and\r\npostinstall scripts. Independent and excellent research by Kieran Miyamoto on the DPRK Research blog\r\n(https://dprk-research.kmsec.uk/) also corroborates this pattern and closely tracks the campaign’s weekly cadence\r\nacross the npm registry.\r\nhttps://socket.dev/blog/north-korea-contagious-interview-campaign-338-malicious-npm-packages\r\nPage 5 of 30\n\nOver 335 malicious packages in this wave align with the documented Contagious Interview techniques that\r\ncombine job-seeker social engineering with open source supply chain abuse, notably npm typosquats, brand\r\nimpersonation, and obfuscated loaders that fetch the second and third-stage malware and backdoors. Threat actors’\r\nobjective is developer endpoint access, CI/CD persistence, and ultimately cryptocurrency theft and strategic\r\nespionage across blockchain, Web3, and broader tech firms.\r\nOver 335 names cluster around everyday dependencies that interview candidates and working developers install\r\non autopilot, especially in the Node/Express stack. We see close misspellings and plausible add-ons of staples like\r\nexpress , dotenv , body-parser , validator , cors , helmet , morgan , nodemailer , and nodemon .\r\nExamples include epxreso / epxresso / epxressoo (Express), dotevn (dotenv), boby_parser (body-parser),\r\nvaildator (validator), cors-validator (cors), http-helmet (helmet), morgan-logger (morgan),\r\nnodemailer-helper (nodemailer), and nodemon-pkg (nodemon). As some victims report, play on deadline\r\npressure in fake job interview assignments (“just run npm install ”) turn routine setup into initial access.\r\nBeyond server basics, the current wave targets what developers touch constantly during quick prototypes:\r\nfrontend/framework and toolchain surface area (e.g., react-router , tailwindcss , next , vite , webpack ,\r\neslint , prettier ). We see lookalikes such as react-router-html , react-redirect-router , nextjs-babel-toastify , numerous [ vite ]-prefixed lookalikes like vite-plugin-react-ping and the near-duplicate\r\nvvite-plugin-react-ping , plus vitejs-plugin-react-refresh and webpack-css-branch-loader .\r\nWhen it comes to crypto hiring, the Web3 kits are also targeted: ethers.js is typosquatted as ethrs.js and\r\nethres.js ; web3.js is typosquatted as we3.js and wb3.js ; and there are systematic typosquats of\r\ntruffle (e.g., truffel ), ganache (e.g., ganacche ), and foundry (e.g., foudry ), as well as hardhat-themed packages like hardhat-deploy-notifier and hardhat-deploy-notification . We also see brand\r\nimpersonation such as metamask-api . The typosquatted names mirror what candidates are most likely to search,\r\ntypo, or accept in a template.\r\nStage 3: Delivery#\r\nTargets often receive a series of interview messages followed by a link to a code repository. Cloning and running\r\nthe project executes an initialization script on first use, which starts the malware chain. Some victims also receive\r\nlinks to documents or forms on common productivity platforms (e.g. Google Docs), setting up a “take home” task\r\nthat delivers the payload.\r\nhttps://socket.dev/blog/north-korea-contagious-interview-campaign-338-malicious-npm-packages\r\nPage 6 of 30\n\nLinkedIn DM lure directing the target to a Google Docs link, a stage-one tactic that establishes a\r\nhiring pretext, pivots off-platform, and sets up delivery of a coding test with malicious dependency.\r\nAdditionally, we found that threat actors registered email addresses to look like recruiter/HR or “tech” personas\r\nthat would resonate with developers and job-seekers. We see (1) recruiting/business veneer, e.g.\r\nbob.berg.business@gmail[.]com , soft.business0987@gmail[.]com , astroglobal.work@gmail[.]com ,\r\njiayingzhang.contact@gmail[.]com ; (2) developer/engineering cues, e.g. goldenrhynodev@gmail[.]com ,\r\nluis.fernando.dev1214@gmail[.]com , sean_tech208@hotmail[.]com , stromdev712418@gmail[.]com ,\r\nryon_dev_3@outlook[.]com ; and (3) crypto/Web3 flavor, e.g. jackson.tf7.eth@gmail[.]com . These match how\r\nthreat actors in Contagious Interview campaigns build plausible recruiting identities while keeping infrastructure\r\ndisposable.\r\nStage 4: Exploitation#\r\nExploitation begins the moment threat actor code executes on the target machine. In this campaign, execution is\r\nuser-driven, not a vulnerability exploit. Install or import triggers threat actor logic via npm lifecycle hooks such as\r\npostinstall , through entry points that run code at module load, or via small cross-platform wrappers. Three\r\nloader families (described in more detail below) implement this pivot from delivery to code run.\r\nhttps://socket.dev/blog/north-korea-contagious-interview-campaign-338-malicious-npm-packages\r\nPage 7 of 30\n\nA note on the exploitation of npm registry mechanisms by Contagious Interview threat actors. In the current wave\r\nof the npm ecosystem infiltrations, we found cases highlighting some gaps in account-level enforcement on the\r\nnpm registry that threat actors are targeting for abuse. For example, the threat actors’ alias anarenhsaihan\r\npublished two malicious packages: jito-components , which has since been removed and replaced by a security\r\nholding page, and components-flexibility , which remains live at the time of writing. Both packages serve as\r\nloaders for the BeaverTail malware.\r\nThe npm registry marks jito-components as a security holding package after detecting malicious\r\ncode, replacing the original with placeholder version 0.0.1-security to block installs and protect\r\nusers.\r\nDespite the jito-components package being flagged and removed by the npm security team, the threat actor’s\r\naccount was not suspended. This allowed the same alias to publish a second malicious package under the guise of\r\na legitimate UI styling utility.\r\nhttps://socket.dev/blog/north-korea-contagious-interview-campaign-338-malicious-npm-packages\r\nPage 8 of 30\n\nnpm account anarenhsaihan with a live package, components-flexibility, indicating the alias\r\nremains active and able to publish after the jito-components takedown.\r\nCleaning up the ecosystem is not a trivial task, especially against advanced persistent threat (APT) actors.\r\nContagious Interview is not a cybercrime hobby, it operates like an assembly line or a factory-model supply chain\r\nthreat. It is a state-directed, quota-driven operation with durable resourcing, not a weekend crew, and removing a\r\nmalicious package is insufficient if the associated publisher account remains active.\r\nSocket AI Scanner’s view of the npm alias anarenhsaihan shows jito-components replaced with a\r\nsecurity holding package while components-flexibility remains live. Our analysis of components-flexibility highlights install-time loader behavior, in-memory execution via eval, and delivery of\r\nBeaverTail malware.\r\nStage 5: Installation#\r\nContagious Interview packages install like nesting dolls, a small loader runs first, reconstructs BeaverTail in\r\nmemory, then BeaverTail drops and fetches the InvisibleFerret backdoor. Earlier waves relied on two families of\r\nloaders. HexEval stores stage-two as long hex strings, decodes them at runtime, and evaluates the plaintext with\r\neval , which transfers control to BeaverTail. XORIndex hides strings and code as XORed byte tables and\r\nrebuilds them with simple index math before executing the result. Both approaches avoid leaving a readable\r\nsecond stage on disk, and both appear across hundreds of malicious packages.\r\nRecent wave added encrypted loaders. The goal is obfuscation versus cryptographic safety. The malicious\r\npackages with encrypted loaders ship a small module that imports Node’s crypto , fixes the algorithm to AES-256-CBC, and hardcodes both the key and the initialization vector (IV). The ciphertext, a large hex blob, is\r\nstashed elsewhere in the package, sometimes in a file named LICENSE . At install or import, the module reads that\r\nblob, decrypts it, converts it to UTF-8, and evaluates the plaintext in process.\r\nhttps://socket.dev/blog/north-korea-contagious-interview-campaign-338-malicious-npm-packages\r\nPage 9 of 30\n\nSocket AI Scanner’s analysis of the malicious redux-saga-sentinel package highlights an encrypted\r\nloader split across two files. The top file, lib/utils/smtp-connection/parse.js, imports Node crypto\r\nand hardcodes an AES-256-CBC key and IV. The bottom file, LICENSE, stores the large hex\r\nciphertext. At runtime, parse.js decrypts the LICENSE blob to plaintext JavaScript and executes it,\r\nenabling in-memory loader execution within the same package.\r\nThe below CyberChef panel shows how defenders can reproduce decryption: convert the hex ciphertext to raw\r\nbytes, apply AES-256-CBC with the embedded key and IV, and recover the stage-two JavaScript. The recovered\r\nbody remains obfuscated, but deobfuscation confirms BeaverTail, based on its file and wallet targeting, control-flow patterns, and the handoff logic for launching the InvisibleFerret backdoor.\r\nCyberChef reproduces the decrypt of the package’s encrypted loader. Converting the hex ciphertext\r\nand applying AES-256-CBC with the embedded key and IV recovers BeaverTail stage-two\r\nJavaScript in the Output pane, still obfuscated but ready for deobfuscation and behavior analysis.\r\nhttps://socket.dev/blog/north-korea-contagious-interview-campaign-338-malicious-npm-packages\r\nPage 10 of 30\n\nOperationally, installation means a long-running foothold rather than a guaranteed autorun. The loader starts\r\nBeaverTail, which fetches and launches InvisibleFerret. With BeaverTail active and InvisibleFerret staged, the\r\nmalware is ready to register the host and begin tasking, which leads directly into Stage 6.\r\nStage 6: Command and Control#\r\nBeaverTail establishes C2 over HTTP(S) and sometimes WebSocket, registers the host, fetches tasking, and stages\r\nInvisibleFerret, a cross-platform Python backdoor for Windows, macOS, and Linux.\r\nThe campaign blends raw IP C2 with platform C2. Fixed IPs on commodity VPS providers act as backends, while\r\nfront-end beacons often use legitimate hosting such as *.vercel.app to blend into developer traffic. URIs are\r\ndeliberately plain and work-adjacent, with paths such as /api/ipcheck , /process-log , and /apikey that\r\nmasquerade as health checks or logging hooks, so a quick glance by a developer or code reviewer raises little\r\nsuspicion. Infrastructure recycles across waves with small mutations. Threat actors reuse domain patterns and\r\nURL shapes, periodically switch between raw IPs and platform subdomains, and reappear on non-standard ports,\r\nhistorically including port 1224 and in this wave additional high ports, to evade simple egress filters.\r\nStage 7: Actions on Objectives#\r\nMonetization and follow-on objectives focus on cryptocurrency theft and maintaining persistent access for further\r\ncompromise. There is no vetted dollar total for this specific campaign, but independent reporting estimates that\r\nNorth Korea-linked threat actors have already stolen $2 billion in 2025 and approximately $1.34 billion in 2024.\r\nThe social engineering workflow described here, fake recruiter personas that push candidates into running take-home assignments or “tests”, aligns with tactics Reuters reported across the crypto sector in 2025. Stolen assets\r\ntypically move through layered mixers, cross chain swaps, and lower visibility networks, with investigators\r\nobserving multi hop flows across Bitcoin, Ethereum, BTTC, and Tron.\r\nOutlook and Recommendations\r\nThe campaign’s trajectory points to a durable, factory-style operation that treats the npm ecosystem as a renewable\r\ninitial access channel. Across waves, we document a steady push of new malware loader variants, including recent\r\nencrypted loaders.\r\nWe anticipate more loader riffs that split decryption and staging across files to defeat static scans, continued reuse\r\nof URL shapes and hosting platforms for cover traffic, and rapid re-uploads after takedowns, especially when\r\npublisher accounts remain active.\r\nAccount suspensions help, but they are not sufficient, since accounts can be created on a whim. Registries should\r\nadopt layered controls: suspend and revoke tokens for confirmed malicious publishers; require re-verification with\r\n2FA and provenance signing; apply pre-publish and prefetch screening to quarantine high-risk uploads; throttle\r\nsuspicious velocity and namespace churn; and cluster related aliases by shared infrastructure, email patterns, and\r\ncode templates so enforcement follows the operator, not the name.\r\nDefenders should harden the points where this campaign succeeds: pull requests, installs, and CI. Treat every npm\r\ninstall as code execution and block risky behavior before it reaches developer machines or pipelines. Shift left\r\nhttps://socket.dev/blog/north-korea-contagious-interview-campaign-338-malicious-npm-packages\r\nPage 11 of 30\n\nby scanning code and PRs in real time; require a clean report before merge and vet external libraries for\r\nprovenance, maintainer trust, and pinned versions.\r\nSocket’s security tooling is purpose-built to address these challenges. The Socket GitHub App provides real-time\r\nPR scanning, flagging suspicious or malicious packages before merge. The Socket CLI surfaces red flags during\r\ninstalls and lets teams enforce allow/deny rules, blocking risky behaviors such as postinstall scripts,\r\nunexpected network egress, decrypt-and-eval loaders, or native binaries. Socket Firewall blocks known malicious\r\npackages before the package manager fetches them, including transitive dependencies, by mediating dependency\r\nrequests; use it alongside the CLI for behavior-level gating. The Socket browser extension alerts users to\r\nsuspicious packages while browsing. Socket MCP extends protection into AI-assisted coding, detecting and\r\nwarning on malicious or hallucinated packages before they are introduced through LLM suggestions. Integrating\r\nthese tools into development pipelines will help proactively detect and prevent malware, reducing exposure to\r\nContagious Interview-style supply chain attacks.\r\nMITRE ATT\u0026CK#\r\nT1195.002 — Supply Chain Compromise: Compromise Software Supply Chain\r\nT1608.001 — Stage Capabilities: Upload Malware\r\nT1204.002 — User Execution: Malicious File\r\nT1059.007 — Command and Scripting Interpreter: JavaScript\r\nT1027.013 — Obfuscated Files or Information: Encrypted/Encoded File\r\nT1546.016 — Event Triggered Execution: Installer Packages\r\nT1005 — Data from Local System\r\nT1082 — System Information Discovery\r\nT1083 — File and Directory Discovery\r\nT1217 — Browser Information Discovery\r\nT1555.003 — Credentials from Password Stores: Credentials from Web Browsers\r\nT1555.001 — Credentials from Password Stores: Keychain\r\nT1041 — Exfiltration Over C2 Channel\r\nT1105 — Ingress Tool Transfer\r\nT1119 — Automated Collection\r\nT1657 — Financial Theft\r\nIndicators of Compromise (IOCs)#\r\nC2 Endpoints\r\n1. 135[.]181[.]123[.]177\r\n2. 138[.]201[.]50[.]5\r\n3. 144[.]172[.]105[.]235\r\n4. 144[.]172[.]112[.]106\r\n5. 146[.]70[.]253[.]107\r\n6. 23[.]127[.]202[.]249\r\n7. 23[.]227[.]202[.]244\r\nhttps://socket.dev/blog/north-korea-contagious-interview-campaign-338-malicious-npm-packages\r\nPage 12 of 30\n\n8. http://fashdefi[.]store:6168/defy/v7\r\n9. https://0927[.]vercel[.]app/api/ipcheck\r\n10. https://api[.]npoint[.]io/b964566497d98298d32c\r\n11. https://ip-check-server[.]vercel[.]app/api/ip-check/208\r\n12. https://json-project-hazel[.]vercel[.]app/apikey/QWERTYU890T12HML\r\n13. https://log-server-lovat[.]vercel[.]app/api/ipcheck/703\r\n14. https://process-log[.]vercel[.]app/api/ipcheck\r\n15. https://process-log-update[.]vercel[.]app/api/ipcheck\r\nMalicious npm Packages:\r\n1. alchmey-sdk\r\n2. alert-codestreamer\r\n3. async-chai\r\n4. babel-cli-ganache\r\n5. bind-error\r\n6. bingo-abstract-transport\r\n7. bingo-log\r\n8. bingo-logger\r\n9. bingo-pretty\r\n10. boby_parser\r\n11. btrez-logger\r\n12. case-sensitive-paths\r\n13. chai-utils\r\n14. chartable-utils\r\n15. checking-ip\r\n16. checking-ips\r\n17. chunk-logger\r\n18. colorful-buttons\r\n19. common-js-support\r\n20. common-logify\r\n21. components-flexibility\r\n22. config-log\r\n23. cookie-logger\r\n24. cookie-loggers\r\n25. cookie-loggo\r\n26. cookie-parsing\r\n27. cookies-logger\r\n28. cors-validator\r\n29. cross-session\r\n30. ddok-escapes\r\n31. display-notifications\r\n32. dotevn\r\nhttps://socket.dev/blog/north-korea-contagious-interview-campaign-338-malicious-npm-packages\r\nPage 13 of 30\n\n33. dragon0905-vite-tsconfig-assistant\r\n34. emittery-up\r\n35. epxreso\r\n36. epxresso\r\n37. epxressoo\r\n38. err-notification\r\n39. error-analysis\r\n40. error-fallback\r\n41. error-loggerjs\r\n42. eslint-config-detector\r\n43. eslint-detector\r\n44. eslint-logger\r\n45. eslint-plugin-react-purify\r\n46. eslint-ts-view\r\n47. eslint-validation-cli\r\n48. eslints-logger\r\n49. eth-node-utils\r\n50. etherres\r\n51. ethres.js\r\n52. ethrs.js\r\n53. express-prisma\r\n54. express-xmlrequest\r\n55. file-uploading-advance\r\n56. filigrean-icon\r\n57. filigren-icon\r\n58. filigron-icon\r\n59. filiogrean-ico\r\n60. financial-utils\r\n61. flowhint\r\n62. flowico\r\n63. flowmint\r\n64. foudry\r\n65. foundary\r\n66. foundrey\r\n67. foundri\r\n68. frontend-cron\r\n69. func-analys\r\n70. func-analyst\r\n71. func-analysis\r\n72. func-logger\r\n73. fundry\r\n74. gad-logger\r\nhttps://socket.dev/blog/north-korea-contagious-interview-campaign-338-malicious-npm-packages\r\nPage 14 of 30\n\n75. ganac\r\n76. ganacche\r\n77. ganacha\r\n78. ganachee\r\n79. ganachhe\r\n80. gannache\r\n81. gatepass\r\n82. glow-admin\r\n83. gnach\r\n84. gridmind\r\n85. hardhat-deploy-notification\r\n86. hardhat-deploy-notifier\r\n87. hashsentinel\r\n88. http-err-notification\r\n89. http-helmet\r\n90. http-req-logger\r\n91. httpreslog\r\n92. httpreqlog\r\n93. husky-es\r\n94. husky-logger\r\n95. icon-sea\r\n96. ip-checkers\r\n97. ip-checking\r\n98. ip-checks\r\n99. item-box\r\n100. jito-components\r\n101. jnscript\r\n102. js-notifiers\r\n103. json-configs\r\n104. json-confs\r\n105. json-log-stream\r\n106. json-weqjoken\r\n107. json-webhooks\r\n108. jsonlise-conf\r\n109. jsons-logger\r\n110. jsonstylizer\r\n111. layzr\r\n112. log-task\r\n113. log4action\r\n114. logger-cookie\r\n115. logger-extjs\r\n116. logger-pino\r\nhttps://socket.dev/blog/north-korea-contagious-interview-campaign-338-malicious-npm-packages\r\nPage 15 of 30\n\n117. logging-winston\r\n118. logflow-json\r\n119. login-tokenizer\r\n120. lovable-ci\r\n121. lovable-cli\r\n122. lovable-cookie-logger\r\n123. lovable-cookies-logger\r\n124. lovable-js\r\n125. lovable-logger\r\n126. lovable-loggers\r\n127. lovable-react\r\n128. lovable-ts\r\n129. luma-glow-db\r\n130. matrix-charts\r\n131. mega-compress\r\n132. metamask-api\r\n133. middleware-loggers\r\n134. mongodb-cd\r\n135. mongodb-ci\r\n136. mongodb-orn\r\n137. mongose-ci\r\n138. mongose-cli\r\n139. morgan-logger\r\n140. motionflow\r\n141. mongoose-ci\r\n142. muxflux\r\n143. my-ttt\r\n144. next-plugin-uni-i18n\r\n145. nextjs-babel-toastify\r\n146. node-log-config\r\n147. node-log-stream\r\n148. node-logflow\r\n149. node-logger-sdk\r\n150. node-loggerx\r\n151. node-notifications\r\n152. node-nvm-ssh\r\n153. node-orm-logger\r\n154. node-vite-config\r\n155. node-winston\r\n156. node-winston-logger\r\n157. nodeapi-json\r\n158. nodemailer-helper\r\nhttps://socket.dev/blog/north-korea-contagious-interview-campaign-338-malicious-npm-packages\r\nPage 16 of 30\n\n159. nodemon-pkg\r\n160. nodelog-lite\r\n161. nodespode\r\n162. notification-clients\r\n163. notification-displayer\r\n164. notification-layer\r\n165. notifications-client\r\n166. notifications-layer\r\n167. notifications-log\r\n168. orbital-ledger\r\n169. parse-logger\r\n170. parser-session\r\n171. parser-tson\r\n172. pino-node\r\n173. pixzen\r\n174. preset-log\r\n175. prepare-config\r\n176. prettier-utils\r\n177. pretty-format-setting\r\n178. proc-log-cmd\r\n179. proc-log-error\r\n180. process-load\r\n181. qrcode-pretty-react\r\n182. query-logger\r\n183. randly\r\n184. rc-logger\r\n185. react-babel-purify\r\n186. react-context-stylizer\r\n187. react-copack\r\n188. react-content-provider\r\n189. react-dhtml\r\n190. react-dropzone-log\r\n191. react-eslint-type\r\n192. react-fs-cofnig\r\n193. react-fs-config\r\n194. react-hook-eslint\r\n195. react-icons-loader\r\n196. react-lovable\r\n197. react-milton\r\n198. react-outcome-error-alert\r\n199. react-prop\r\n200. react-repack\r\nhttps://socket.dev/blog/north-korea-contagious-interview-campaign-338-malicious-npm-packages\r\nPage 17 of 30\n\n201. react-redux-stylizer\r\n202. react-redirect-router\r\n203. react-router-html\r\n204. react-router-purify\r\n205. react-stylizer\r\n206. react-tediter\r\n207. react-thunk-log\r\n208. react-toast-ui\r\n209. real-socket-rt\r\n210. recharts-smart\r\n211. redux-eslint-saga\r\n212. redux-lint-saga\r\n213. redux-saga-devtool\r\n214. redux-saga-guard\r\n215. redux-saga-help\r\n216. redux-saga-inspector\r\n217. redux-saga-sentinel\r\n218. redux-saga-validator\r\n219. redux-thunk-action\r\n220. redux-toolkit-rts\r\n221. request-guard\r\n222. request-kraken\r\n223. request-sentry\r\n224. router-kit\r\n225. rtk-log\r\n226. rtk-logger\r\n227. rtk-service\r\n228. rtk-sleep\r\n229. rtk-wake\r\n230. safe-winston\r\n231. sensitive-paths-focus\r\n232. session-logger\r\n233. sessionfiy\r\n234. sessions-logger\r\n235. simple-icon-maker\r\n236. some-promise\r\n237. stake-config\r\n238. stream-loggers\r\n239. strictor\r\n240. succgdess\r\n241. tai1wind-configs-viewer\r\n242. tailwind-beauty-icon\r\nhttps://socket.dev/blog/north-korea-contagious-interview-campaign-338-malicious-npm-packages\r\nPage 18 of 30\n\n243. tailwind-book-icon\r\n244. tailwind-class-overrides\r\n245. tailwind-classname-overrides\r\n246. tailwind-classes-overrides\r\n247. tailwind-color-icon\r\n248. tailwind-computer-icon\r\n249. tailwind-config-overrides\r\n250. tailwind-config-setting\r\n251. tailwind-configs\r\n252. tailwind-configs-viewer\r\n253. tailwind-cup-icon\r\n254. tailwind-desktop-icon\r\n255. tailwind-glass-icon\r\n256. tailwind-icon\r\n257. tailwind-icon-animate\r\n258. tailwind-mouse-icon\r\n259. tailwind-mui-modal\r\n260. tailwind-nbr-icon\r\n261. tailwind-next-icon\r\n262. tailwind-react-icon\r\n263. tailwind-react-mui\r\n264. tailwind-round-icon\r\n265. tailwind-scrollbar-show\r\n266. tailwind-scrollmenu\r\n267. tailwind-style-components\r\n268. tailwind-style-overrides\r\n269. tailwind-supabase\r\n270. tailwind-theme-colors\r\n271. tailwindcss-animatexs\r\n272. tailwindcss-animators\r\n273. tailwindcss-color-icons-lite\r\n274. tailwindcss-config-overrides\r\n275. tailwindcss-remotion\r\n276. theta-tv-charts\r\n277. tjsontype\r\n278. trslip\r\n279. truflee\r\n280. truffel\r\n281. tsleep\r\n282. uidraftism\r\n283. uxlift\r\n284. uxline\r\nhttps://socket.dev/blog/north-korea-contagious-interview-campaign-338-malicious-npm-packages\r\nPage 19 of 30\n\n285. vaildator\r\n286. viam\r\n287. vite-audit-plugin\r\n288. vite-auditlog\r\n289. vite-babel-plugin-es6-promise\r\n290. vite-binding-js\r\n291. vite-chunk-tools\r\n292. vite-chunk-manager\r\n293. vite-configs-viewer\r\n294. vite-css-icon\r\n295. vite-jsconfig\r\n296. vite-lightsparse\r\n297. vite-linting-js\r\n298. vite-log-plugin\r\n299. vite-logeidit\r\n300. vite-mobcss-log\r\n301. vite-next-logger\r\n302. vite-next-loggers\r\n303. vite-parse\r\n304. vite-plugin-chunk-chop\r\n305. vite-plugin-es6-babel\r\n306. vite-plugin-js-support\r\n307. vite-plugin-morgan\r\n308. vite-plugin-opticompress\r\n309. vite-plugin-parse\r\n310. vite-plugin-parse-js\r\n311. vite-plugin-parse-json\r\n312. vite-plugin-react-ping\r\n313. vite-plugin-reactjs-refresh\r\n314. vite-plugin-uni-i18n\r\n315. vite-plugin-vue-layout\r\n316. vite-postcss-bootstrap\r\n317. vite-postcss-helper\r\n318. vite-postcss-kit\r\n319. vite-postcss-nested\r\n320. vite-react-chunker\r\n321. vite-simpleparse\r\n322. vite-singleparse\r\n323. vite-ts-icon\r\n324. vite-tsauditlog\r\n325. vite-tsconfig-assistant\r\n326. vite-tsconfig-optimized\r\nhttps://socket.dev/blog/north-korea-contagious-interview-campaign-338-malicious-npm-packages\r\nPage 20 of 30\n\n327. vitejs-plugin-react-refresh\r\n328. vortex-logger\r\n329. vvite-plugin-react-ping\r\n330. wb3.js\r\n331. we3.js\r\n332. webpack-css-branch-loader\r\n333. winstem-logging\r\n334. winston-datalog\r\n335. winston-log\r\n336. x-session-parser\r\n337. xml-request-parser\r\n338. tailwindcss-theme-icons\r\nnpm Aliases\r\n1. adammorris533\r\n2. alexander0110818\r\n3. alexander0110820\r\n4. alexander0110828\r\n5. anarenhsaihan\r\n6. andrey0212\r\n7. andrii_matsiuk\r\n8. anthony_smith\r\n9. ariel02\r\n10. artemsdefi\r\n11. artemsnpm\r\n12. asd123123123123\r\n13. astro123456\r\n14. aylin_alkan\r\n15. behrad80515\r\n16. bellyache\r\n17. benmilam727510\r\n18. benzonjohn\r\n19. bobbb\r\n20. brian_sanders\r\n21. brian_scott\r\n22. bryankoh0604\r\n23. bryanlee604\r\n24. butleralvin510\r\n25. carolina32123\r\n26. caroline727\r\n27. castiblanco\r\n28. cesar510727\r\nhttps://socket.dev/blog/north-korea-contagious-interview-campaign-338-malicious-npm-packages\r\nPage 21 of 30\n\n29. chain1107saw\r\n30. charles1236542\r\n31. charles987456\r\n32. cheapdev009\r\n33. cheekaide\r\n34. christrotman\r\n35. danicaagawin\r\n36. daniel604\r\n37. darielfrias\r\n38. david0604\r\n39. david1003\r\n40. david_fernandez\r\n41. david_raynolds\r\n42. davidjambis\r\n43. ddok\r\n44. denys604\r\n45. diego123123\r\n46. dkeosleff\r\n47. dmitriy1023\r\n48. dmytro604\r\n49. dragon0905\r\n50. dyani-steras\r\n51. elodieblanc0707\r\n52. emily0102\r\n53. evalinevaraza63\r\n54. fanhaoming\r\n55. felip2342\r\n56. fukdev\r\n57. fulldev0418\r\n58. goldenrhyno\r\n59. grayce1024\r\n60. guograce902\r\n61. harry1988051211\r\n62. harukitanaka\r\n63. hector008\r\n64. hector9299\r\n65. hendriksenelise727\r\n66. hmax\r\n67. holppkgaske6i75\r\n68. iandavies\r\n69. ip_checknpm\r\n70. jacksoneth\r\nhttps://socket.dev/blog/north-korea-contagious-interview-campaign-338-malicious-npm-packages\r\nPage 22 of 30\n\n71. jahmiekstreetmanx\r\n72. jaya_lubiszn\r\n73. jeffbennett862\r\n74. jenny-jenkins\r\n75. jenis19970102\r\n76. jiaopin0813\r\n77. jinping0813\r\n78. jinping0824\r\n79. jiupaladin\r\n80. joko_seti\r\n81. johnasten\r\n82. julianohoffmann\r\n83. kaitlyndynamo\r\n84. kanaan7407751\r\n85. kevin_c\r\n86. kevincarol\r\n87. kevinyamada\r\n88. kencheng1291\r\n89. kingwords\r\n90. kingsley19960304\r\n91. kentadev0114\r\n92. kik.ita\r\n93. kurnia_utama4q\r\n94. lauren01\r\n95. leahu0604\r\n96. loraine-packman09164\r\n97. lucastyler\r\n98. luka1291\r\n99. luka1293\r\n100. lukapro518\r\n101. luis1214\r\n102. maggie01\r\n103. malarkey1992\r\n104. marcsanford\r\n105. math4324\r\n106. meirjacob\r\n107. melnikoleg\r\n108. michaeldante\r\n109. milton_sanders\r\n110. monky1003\r\n111. mykola1214\r\n112. mykolakostenko\r\nhttps://socket.dev/blog/north-korea-contagious-interview-campaign-338-malicious-npm-packages\r\nPage 23 of 30\n\n113. natin933\r\n114. n99114\r\n115. npmlover56\r\n116. oliverwilson1976\r\n117. ossargd324625\r\n118. paerhui1102\r\n119. patrickweberman\r\n120. pavlo123123\r\n121. perumal_balak\r\n122. peter_soria525582\r\n123. protonsra\r\n124. quongekitti8vs6cx\r\n125. riccardotala798\r\n126. rodolfguerr\r\n127. royalcat\r\n128. royalking\r\n129. royalpanda\r\n130. royalpandagungfu\r\n131. royaltiger\r\n132. ruplles0308\r\n133. ryon2080\r\n134. ryon_tim\r\n135. satodev\r\n136. satrias\r\n137. sasin\r\n138. savioh\r\n139. scarlet1290\r\n140. scott_david\r\n141. seed1996001\r\n142. sean-tech\r\n143. seren_quasarmzfjn49235\r\n144. sergio12\r\n145. setiawanet\r\n146. skydev777\r\n147. smartdevuser\r\n148. storm0418\r\n149. suhkuv.competition.tel\r\n150. terralindenwhytk82974\r\n151. tetiana0102\r\n152. thiago_chiago\r\n153. tim_blosser\r\n154. timothygaffney08\r\nhttps://socket.dev/blog/north-korea-contagious-interview-campaign-338-malicious-npm-packages\r\nPage 24 of 30\n\n155. trailer\r\n156. trenton_alexander\r\n157. uoenkpense\r\n158. valerii73718\r\n159. vandesaw\r\n160. venjamin\r\n161. venjamin1\r\n162. vespero1011\r\n163. victoria88\r\n164. viktoria115\r\n165. vinkeyasmael\r\n166. vladsupernpm\r\n167. vladislavkarniushka\r\n168. web3chessdefi\r\n169. wilder_keatingrmtuw64788\r\n170. wilkinson310\r\n171. william1024\r\n172. winston1\r\n173. wonderful123\r\n174. world47\r\n175. world4dev\r\n176. xinrong83\r\n177. yasmin9\r\n178. yevheniikasymchuk\r\n179. yonismith\r\n180. zane29879\r\n181. zhang.j\r\n182. zybinantone241\r\nEmail Addresses\r\n1. adammorris533@gmail[.]com\r\n2. aidanphillips721@gmail[.]com\r\n3. alexander0110818@outlook[.]com\r\n4. alexander0110820@outlook[.]com\r\n5. alexander0110828@outlook[.]com\r\n6. anastasiiakoziar02@gmail[.]com\r\n7. anthonysmith0979@outlook[.]com\r\n8. anto[.]nost[.]athakos194@gmail[.]com\r\n9. arslan310[.]kiran@gmail[.]com\r\n10. astroglobal[.]work@gmail[.]com\r\n11. aylin_fintech@hotmail[.]com\r\n12. behrad[.]daniel@outlook[.]com\r\nhttps://socket.dev/blog/north-korea-contagious-interview-campaign-338-malicious-npm-packages\r\nPage 25 of 30\n\n13. bellyache@alightmotion[.]id\r\n14. bob[.]berg[.]business@gmail[.]com\r\n15. briansanders0126@gmail[.]com\r\n16. bryankoh64@outlook[.]com\r\n17. bryanlee604@outlook[.]com\r\n18. butleralvin510@outlook[.]com\r\n19. carolina32123@hotmail[.]com\r\n20. carolinefruet727@gmail[.]com\r\n21. chain1107saw@gmail[.]com\r\n22. chaparrocesaryed510727@outlook[.]com\r\n23. cheekaide1992@gmail[.]com\r\n24. ChinneryMarcia5425@hotmail[.]com\r\n25. christrotman727@outlook[.]com\r\n26. cibin87216@exitbit[.]com\r\n27. ctwajstj8948@hotmail[.]com\r\n28. danicaagawin5@gmail[.]com\r\n29. darielfrias89@outlook[.]com\r\n30. davidfernandez420@outlook[.]com\r\n31. davidjambis@outlook[.]com\r\n32. decovenjamin@gmail[.]com\r\n33. denise[.]ward0418@outlook[.]com\r\n34. desmondwynn144@gmail[.]com\r\n35. devkotacorrado@googlemail[.]com\r\n36. dl249995@gmail[.]com\r\n37. dmytro604@outlook[.]com\r\n38. dreamjobsato@gmail[.]com\r\n39. dv6305655@gmail[.]com\r\n40. dyanisteras15091999cuunn@hotmail[.]com\r\n41. elodieblanc0707@gmail[.]com\r\n42. emilylida0923@outlook[.]com\r\n43. ethoszephyrtrcac76000@hotmail[.]com\r\n44. EvalineVaraza63@hotmail[.]com\r\n45. farrelvillarrealdngp170616@hotmail[.]com\r\n46. felip2342@techspirehub[.]com\r\n47. fhaoming7@gmail[.]com\r\n48. galihmxf11@hotmail[.]com\r\n49. garavitovillamilj@gmail[.]com\r\n50. garycorn@loopsoft[.]tech\r\n51. goldenrhynodev@gmail[.]com\r\n52. grayce@xuchuyen[.]com\r\n53. guograce902@gmail[.]com\r\n54. guilddmelihb2r@hotmail[.]com\r\nhttps://socket.dev/blog/north-korea-contagious-interview-campaign-338-malicious-npm-packages\r\nPage 26 of 30\n\n55. hmax23410@gmail[.]com\r\n56. hectorramirez008@outlook[.]com\r\n57. hendriksenelise727@gmail[.]com\r\n58. hiroshi[.]watanabe1011@gmail[.]com\r\n59. holppkgaske6i75@outlook[.]com\r\n60. iandavies2313@gmail[.]com\r\n61. jackson[.]tf7[.]eth@gmail[.]com\r\n62. jahmiekstreetmanxlj126940778@hotmail[.]com\r\n63. jaya[.]lubiszn@hotmail[.]com\r\n64. jeffbennett862@gmail[.]com\r\n65. jessikamoreira015@gmail[.]com\r\n66. jh0333224@gmail[.]com\r\n67. jiaopin0813@outlook[.]com\r\n68. jiayingzhang[.]contact@gmail[.]com\r\n69. jinping0813@outlook[.]com\r\n70. jinping0824@outlook[.]com\r\n71. joko[.]setiawan9l@hotmail[.]com\r\n72. jokohjj80@hotmail[.]com\r\n73. johnas12121@hotmail[.]com\r\n74. johnbenzon510727@outlook[.]com\r\n75. jiupaladin@gmail[.]com\r\n76. jonatasfrnancisco887@gmail[.]com\r\n77. juancastiblanco1998@gmail[.]com\r\n78. julianohoffmann33@gmail[.]com\r\n79. k7407751@gmail[.]com\r\n80. kaitlyndynamofwtsc28771@outlook[.]com\r\n81. kencheng1291@proton[.]me\r\n82. kevincarol00001@gmail[.]com\r\n83. kevincarol00002@gmail[.]com\r\n84. kevinyamada71@gmail[.]com\r\n85. kik[.]ita[.]aylen701@gmail[.]com\r\n86. kingsley19960304@hotmail[.]com\r\n87. korovalerii0803@gmail[.]com\r\n88. kurnia[.]utama4q@hotmail[.]com\r\n89. lauren[.]washco@hotmail[.]com\r\n90. leahucosmin0720@gmail[.]com\r\n91. leeuna@xvism[.]site\r\n92. littebaby232355@gmail[.]com\r\n93. lucastyler195@gmail[.]com\r\n94. luis[.]fernando[.]dev1214@gmail[.]com\r\n95. luka1291@outlook[.]com\r\n96. luka1293@outlook[.]com\r\nhttps://socket.dev/blog/north-korea-contagious-interview-campaign-338-malicious-npm-packages\r\nPage 27 of 30\n\n97. malarkeyclayton5@gmail[.]com\r\n98. marcsanford22@gmail[.]com\r\n99. marinella@basemindway[.]com\r\n100. matiushkodenys@gmail[.]com\r\n101. matheuslealcardoso86@gmail[.]com\r\n102. matheusserra0133@gmail[.]com\r\n103. meirjacob727@gmail[.]com\r\n104. melnikoleg995@gmail[.]com\r\n105. melnicenkosergij119@gmail[.]com\r\n106. michal[.]kaim99@outlook[.]com\r\n107. milamben510@outlook[.]com\r\n108. miltonsanders1234@gmail[.]com\r\n109. mischenko0604@gmail[.]com\r\n110. mykolakostenko16@gmail[.]com\r\n111. mykolasvyryd20@gmail[.]com\r\n112. natinbusiness[.]work@gmail[.]com\r\n113. ninaquigleyfgsja22730@outlook[.]com\r\n114. oka[.]setiawanet@hotmail[.]com\r\n115. ohmlsnwz1502@hotmail[.]com\r\n116. oliverwilson1976@hotmail[.]com\r\n117. ossargd@xuseca[.]cloud\r\n118. pandaroyal48@outlook[.]com\r\n119. patterson[.]ariel@outlook[.]com\r\n120. pattersonariel988@gmail[.]com\r\n121. patrickweberman@outlook[.]com\r\n122. pavlovainerman@gmail[.]com\r\n123. peterdwtp525582@hotmail[.]com\r\n124. perumalbalak727@outlook[.]com\r\n125. pineye0212@outlook[.]com\r\n126. plyn_rider@protonmail[.]com\r\n127. proluka80518@outlook[.]com\r\n128. quongekitti8vs6cx@hotmail[.]com\r\n129. quintonverdantgsbxf26081@hotmail[.]com\r\n130. ramirezhector9299@gmail[.]com\r\n131. realonlinethiago@gmail[.]com\r\n132. reichenausteve@gmail[.]com\r\n133. riccardotala798@outlook[.]com\r\n134. robertwarr1011@gmail[.]com\r\n135. rodolfguerr717@outlook[.]com\r\n136. royalcat3982@outlook[.]com\r\n137. royalking066@outlook[.]com\r\n138. royalpandagungfu06@outlook[.]com\r\nhttps://socket.dev/blog/north-korea-contagious-interview-campaign-338-malicious-npm-packages\r\nPage 28 of 30\n\n139. royaltiger06@outlook[.]com\r\n140. runedrakesdmty71479@hotmail[.]com\r\n141. ryon2080@outlook[.]com\r\n142. ryon_dev_3@outlook[.]com\r\n143. ryon_dev_4@outlook[.]com\r\n144. ryon_dev_5@outlook[.]com\r\n145. ryon_dev_6@outlook[.]com\r\n146. ryonteam@outlook[.]com\r\n147. sasakidev581@gmail[.]com\r\n148. satriapkp91@hotmail[.]com\r\n149. seed1996009@outlook[.]com\r\n150. serenquasarmzfjn49235@hotmail[.]com\r\n151. sergio1997121400@gmail[.]com\r\n152. sean_tech208@hotmail[.]com\r\n153. shubertlarvp286287@hotmail[.]com\r\n154. slobodanprluv@gmail[.]com\r\n155. smartinezquitian20@gmail[.]com\r\n156. smarttmpacc@hotmail[.]com\r\n157. soft[.]business0987@gmail[.]com\r\n158. stromdev712418@gmail[.]com\r\n159. suhkuv[.]competition[.]tel@gmail[.]com\r\n160. tetianabanakh34@gmail[.]com\r\n161. terralindenwhytk82974@outlook[.]com\r\n162. timothygaffney08@gmail[.]com\r\n163. top1152025@outlook[.]com\r\n164. top6042025@outlook[.]com\r\n165. trentonwork105@gmail[.]com\r\n166. vandesaw@dewacid[.]store\r\n167. venjamindeco0305@gmail[.]com\r\n168. victoria88@celestiad[.]tech\r\n169. vinkeyasmael@hotmail[.]com\r\n170. vladkashka56@gmail[.]com\r\n171. vladzane569@gmail[.]com\r\n172. warfelbyeon95om0@hotmail[.]com\r\n173. wilderkeatingrmtuw64788@hotmail[.]com\r\n174. williammorphy37@gmail[.]com\r\n175. wondereleven1@gmail[.]com\r\n176. xinrong83@outlook[.]com\r\n177. yevheniikasymchuk@gmail[.]com\r\n178. yonismith727@outlook[.]com\r\n179. yuleseraphxyvoi89853@hotmail[.]com\r\n180. yusufsnz95@hotmail[.]com\r\nhttps://socket.dev/blog/north-korea-contagious-interview-campaign-338-malicious-npm-packages\r\nPage 29 of 30\n\n181. yusufuyn94@hotmail[.]com\r\n182. zanevlad3@gmail[.]com\r\n183. zybinanton241@gmail[.]com\r\nSource: https://socket.dev/blog/north-korea-contagious-interview-campaign-338-malicious-npm-packages\r\nhttps://socket.dev/blog/north-korea-contagious-interview-campaign-338-malicious-npm-packages\r\nPage 30 of 30",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://socket.dev/blog/north-korea-contagious-interview-campaign-338-malicious-npm-packages"
	],
	"report_names": [
		"north-korea-contagious-interview-campaign-338-malicious-npm-packages"
	],
	"threat_actors": [
		{
			"id": "eb3f4e4d-2573-494d-9739-1be5141cf7b2",
			"created_at": "2022-10-25T16:07:24.471018Z",
			"updated_at": "2026-04-10T02:00:05.002374Z",
			"deleted_at": null,
			"main_name": "Cron",
			"aliases": [],
			"source_name": "ETDA:Cron",
			"tools": [
				"Catelites",
				"Catelites Bot",
				"CronBot",
				"TinyZBot"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "4fc99d9b-9b66-4516-b0db-520fbef049ed",
			"created_at": "2025-10-29T02:00:51.949631Z",
			"updated_at": "2026-04-10T02:00:05.346203Z",
			"deleted_at": null,
			"main_name": "Contagious Interview",
			"aliases": [
				"Contagious Interview",
				"DeceptiveDevelopment",
				"Gwisin Gang",
				"Tenacious Pungsan",
				"DEV#POPPER",
				"PurpleBravo",
				"TAG-121"
			],
			"source_name": "MITRE:Contagious Interview",
			"tools": [
				"InvisibleFerret",
				"BeaverTail",
				"XORIndex Loader",
				"HexEval Loader"
			],
			"source_id": "MITRE",
			"reports": null
		}
	],
	"ts_created_at": 1775434212,
	"ts_updated_at": 1775791708,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/4c66e210923784ee95abd19ff9a748ee6d7e496d.pdf",
		"text": "https://archive.orkl.eu/4c66e210923784ee95abd19ff9a748ee6d7e496d.txt",
		"img": "https://archive.orkl.eu/4c66e210923784ee95abd19ff9a748ee6d7e496d.jpg"
	}
}