North Korean Hackers Publish 26 npm Packages Hiding Pastebin C2 for Cross-Platform RAT

Ravie LakshmananMar 02, 2026Supply Chain Attack / Malware

Cybersecurity researchers have disclosed a new iteration of the ongoing Contagious Interview campaign, where the North Korean threat actors have published a set of 26 malicious packages to the npm registry.

The packages masquerade as developer tools, but contain functionality to extract the actual command-and-control (C2) by using seemingly harmless Pastebin content as a dead drop resolver and ultimately drop a developer-targeted credential stealer and remote access trojan. The C2 infrastructure is hosted on Vercel across 31 deployments.

The campaign, discovered by Socket and kmsec.uk’s Kieran Miyamoto, is being tracked under the moniker StegaBin. It’s attributed to a North Korean threat activity cluster known as Famous Chollima.

“The loader extracts C2 URLs steganographically encoded within three Pastebin pastes, innocuous computer science essays in which characters at evenly-spaced positions have been replaced to spell out hidden infrastructure addresses,” Socket researchers Philipp Burckhardt and Peter van der Zee said.

The list of the malicious npm packages is as follows –

All identified packages come with an install script (“install.js”) that’s automatically executed during package installation, which, in turn, runs the malicious payload located in “vendor/scrypt-js/version.js.” Another common aspect that unites the 26 packages is that they explicitly declare the legitimate package they are typosquatting as a dependency, likely…

Source