North Korean hackers have published 26 malicious packages to the npm registry as part of an ongoing campaign targeting software developers with credential-stealing malware and a cross-platform remote access trojan.
The campaign, discovered by researchers at Socket and security analyst Kieran Miyamoto, is being tracked under the name StegaBin and attributed to a North Korean threat cluster known as Famous Chollima. The packages disguise themselves as legitimate developer tools while concealing command-and-control infrastructure behind steganographically encoded text on Pastebin.
How the Attack Works
Each of the 26 packages ships with an install script, “install.js,” that executes automatically during package installation. That script triggers a malicious payload stored in “vendor/scrypt-js/version.js,” which then contacts a Pastebin URL to decode hidden C2 addresses.
The deception is subtle. The Pastebin pastes appear to contain ordinary computer science essays, but the decoder reads characters at evenly-spaced positions throughout the text to reconstruct actual infrastructure addresses. Socket researchers Philipp Burckhardt and Peter van der Zee described the mechanism precisely: “The decoder strips zero-width Unicode characters, reads a 5-digit length marker from the beginning, calculates evenly-spaced character positions throughout the text, and extracts the characters at those positions.” Those extracted characters are then split on a “|||” separator with an “===END===” termination marker to produce an array of C2 domain names.
The C2 infrastructure itself runs on Vercel across 31 deployments. Once the malware resolves the live domains, it fetches platform-specific payloads for Windows, macOS, and Linux.
What Gets Deployed
One identified domain, “ext-checkdin.vercel[.]app,” serves a shell script that retrieves a RAT component. The trojan connects to 103.106.67[.]63:1244 to receive instructions, enabling attackers to change directories and execute shell commands remotely.
More Read
From there, a nine-module intelligence collection suite deploys. Its capabilities include:
- Persistence through Microsoft Visual Studio Code
- Keylogging and clipboard theft
- Browser credential harvesting
- TruffleHog secret scanning
- Git repository and SSH key exfiltration
All 26 packages also explicitly declare the legitimate package they are typosquatting as a dependency, a deliberate move to appear credible to both automated scanners and human reviewers.
A More Evasion-Conscious Operation
Socket drew a direct comparison to earlier waves of the Contagious Interview campaign, which relied on simpler scripts and payloads hosted on Bitbucket. “This latest iteration demonstrates a concerted effort to bypass both automated detection and human review,” the firm concluded. “The use of character-level steganography on Pastebin and multi-stage Vercel routing points to an adversary that is refining its evasion techniques.”
Separately, Famous Chollima has also been observed using a different approach: publishing malicious npm packages such as “express-core-validator” to pull a next-stage JavaScript payload from Google Drive. Miyamoto noted that only a single package using this technique has appeared so far, and assessed that the group will likely continue running multiple techniques in parallel rather than abandoning its established playbook.
The npm registry remains a high-value target for supply chain attacks given its scale and the degree of trust developers place in third-party packages during routine installation workflows.
Photo by Irvan Smith on Unsplash
This article is a curated summary based on third-party sources. Source: Read the original article
