Contagious Trader campaign - Coordinated weaponisation of cryptocurrency trading bots by suspected DPRK malware operators

This report documents the 'Contagious Trader' campaign: a highly distributed malware operation that poisons GitHub cryptocurrency trading bot projects and npm packages to steal private keys and other sensitive data, exfiltrate files to actor-controlled endpoints or databases, and establish SSH backdoors. The author enumerates multiple infection vectors (HTTP(S) endpoints, direct DB exfiltration, malicious npm postinstall scripts, and Rust variants), catalogs ~30 malicious GitHub repositories, 37 npm packages, 23 domains/IPs and other IOCs, and presents operational overlaps and infrastructure usage consistent with DPRK-linked FAMOUS CHOLLIMA activity.