North Korean hackers have published 26 malicious packages to the npm registry as part of a new wave of the Contagious Interview campaign, using text steganography to hide command-and-control infrastructure inside ordinary-looking Pastebin essays.
The campaign, tracked as StegaBin and attributed to the North Korean threat cluster Famous Chollima, was discovered by researchers at Socket and kmsec.uk’s Kieran Miyamoto. The packages masquerade as legitimate developer tools and ultimately deliver a credential stealer and a cross-platform remote access trojan (RAT) targeting Windows, macOS, and Linux.
How the Steganography Works
Each of the 26 packages includes an install script, “install.js,” that executes automatically during package installation. It triggers a malicious payload in “vendor/scrypt-js/version.js,” which contacts a Pastebin URL containing what appears to be a benign computer science essay.
The payload is actually a text steganography decoder. According to Socket researchers Philipp Burckhardt and Peter van der Zee, “the loader extracts C2 URLs steganographically encoded within three Pastebin pastes, innocuous computer science essays in which characters at evenly-spaced positions have been replaced to spell out hidden infrastructure addresses.”
Specifically, the decoder strips zero-width Unicode characters, reads a 5-digit length marker, calculates evenly-spaced character positions throughout the text, and extracts characters at those positions. Those characters are split on a ||| separator with an ===END=== termination marker to produce an array of live C2 domain names.
The C2 infrastructure itself runs on Vercel across 31 deployments. All 26 packages also explicitly declare the legitimate package they are typosquatting as a dependency, a tactic likely intended to pass surface-level credibility checks.
More Read
What the RAT Can Do
Once the C2 domains are resolved, the malware fetches platform-specific payloads. One identified domain, ext-checkdin.vercel[.]app, serves a shell script that retrieves a RAT component connecting to 103.106.67[.]63:1244 to await instructions.
The trojan deploys nine distinct modules covering a wide range of surveillance and exfiltration capabilities:
- Microsoft Visual Studio Code persistence
- Keylogging and clipboard theft
- Browser credential harvesting
- TruffleHog secret scanning
- Git repository and SSH key exfiltration
The target profile is clearly developers, particularly those with access to source code repositories, secrets, and cloud credentials.
An Evolving Evasion Strategy
Socket noted that previous Contagious Interview waves relied on simpler malicious scripts and Bitbucket-hosted payloads. This iteration shows a deliberate shift toward layered evasion, combining steganography, multi-stage Vercel routing, and typosquatted package dependencies to survive both automated scanning and manual review.
Separately, Famous Chollima was also observed publishing malicious npm packages, including one called express-core-validator, that fetch next-stage JavaScript payloads hosted on Google Drive. Miyamoto noted that only a single package using that technique has appeared so far, and it likely signals parallel experimentation rather than a wholesale change in tactics. “It is unlikely this signals a complete overhaul of their stager behaviour on npm,” he said.
The group appears to be running multiple delivery methods in parallel, testing which evasion approaches hold up longest before defenders adapt.
Photo by Yuheng Ouyang on Unsplash
This article is a curated summary based on third-party sources. Source: Read the original article
