{"id":220412,"date":"2026-03-02T03:44:00","date_gmt":"2026-03-02T08:44:00","guid":{"rendered":"https:\/\/news-you-need.com\/index.php\/2026\/03\/02\/north-korean-hackers-publish-26-npm-packages-hiding-pastebin-c2-for-cross-platform-rat\/"},"modified":"2026-03-05T19:25:12","modified_gmt":"2026-03-06T00:25:12","slug":"north-korean-hackers-publish-26-npm-packages-hiding-pastebin-c2-for-cross-platform-rat","status":"publish","type":"post","link":"https:\/\/news-you-need.com\/index.php\/2026\/03\/02\/north-korean-hackers-publish-26-npm-packages-hiding-pastebin-c2-for-cross-platform-rat\/","title":{"rendered":"North Korean Hackers Publish 26 npm Packages Hiding Pastebin C2 for Cross-Platform RAT"},"content":{"rendered":"<p><a href=\"https:\/\/thehackernews.com\/2026\/03\/north-korean-hackers-publish-26-npm.html\">North Korean Hackers Publish 26 npm Packages Hiding Pastebin C2 for Cross-Platform RAT<\/a><\/p>\n<p><a href=\"https:\/\/thehackernews.com\/2026\/03\/north-korean-hackers-publish-26-npm.html\">https:\/\/thehackernews.com\/2026\/03\/north-korean-hackers-publish-26-npm.html<\/a><\/p>\n<p>Publish Date: <a href=\"publish_date]\">2026-03-02 03:44:00<\/a><\/p>\n<p>Source Domain: <a href=\"thehackernews.com\">thehackernews.com<\/a><\/p>\n<p><span class=\"p-author\">\ue804<span class=\"author\">Ravie Lakshmanan<\/span>\ue802<span class=\"author\">Mar 02, 2026<\/span><\/span><span class=\"p-tags\">Supply Chain Attack \/ Malware<\/span><\/p>\n<p>Cybersecurity researchers have disclosed a new iteration of the ongoing Contagious Interview campaign, where the North Korean threat actors have published a set of 26 malicious packages to the npm registry.<\/p>\n<p>The packages masquerade as developer tools, but contain functionality to extract the actual command-and-control (C2) by using seemingly harmless Pastebin content as a dead drop resolver and ultimately drop a developer-targeted credential stealer and remote access trojan. The C2 infrastructure is hosted on Vercel across 31 deployments.<\/p>\n<p>The campaign, discovered by Socket and kmsec.uk&#8217;s Kieran Miyamoto, is being tracked under the moniker StegaBin. It&#8217;s attributed to a North Korean threat activity cluster known as Famous Chollima.<\/p>\n<p>&#8220;The loader extracts C2 URLs steganographically encoded within three Pastebin pastes, innocuous computer science essays in which characters at evenly-spaced positions have been replaced to spell out hidden infrastructure addresses,&#8221; Socket researchers Philipp Burckhardt and Peter van der Zee said.<\/p>\n<p>The list of the malicious npm packages is as follows &#8211;<\/p>\n<ul>\n<li>argonist@0.41.0<\/li>\n<li>bcryptance@6.5.2<\/li>\n<li>bee-quarl@2.1.2<\/li>\n<li>bubble-core@6.26.2<\/li>\n<li>corstoken@2.14.7<\/li>\n<li>daytonjs@1.11.20<\/li>\n<li>ether-lint@5.9.4<\/li>\n<li>expressjs-lint@5.3.2<\/li>\n<li>fastify-lint@5.8.0<\/li>\n<li>formmiderable@3.5.7<\/li>\n<li>hapi-lint@19.1.2<\/li>\n<li>iosysredis@5.13.2<\/li>\n<li>jslint-config@10.22.2<\/li>\n<li>jsnwebapptoken@8.40.2<\/li>\n<li>kafkajs-lint@2.21.3<\/li>\n<li>loadash-lint@4.17.24<\/li>\n<li>mqttoken@5.40.2<\/li>\n<li>prism-lint@7.4.2<\/li>\n<li>promanage@6.0.21<\/li>\n<li>sequelization@6.40.2<\/li>\n<li>typoriem@0.4.17<\/li>\n<li>undicy-lint@7.23.1<\/li>\n<li>uuindex@13.1.0<\/li>\n<li>vitetest-lint@4.1.21<\/li>\n<li>windowston@3.19.2<\/li>\n<li>zoddle@4.4.2<\/li>\n<\/ul>\n<p>All identified packages come with an install script (&#8220;install.js&#8221;) that&#8217;s automatically executed during package installation, which, in turn, runs the malicious payload located in &#8220;vendor\/scrypt-js\/version.js.&#8221; Another common aspect that unites the 26 packages is that they explicitly declare the legitimate package they are typosquatting as a dependency, likely&#8230;<\/p>\n<p><a href=\"https:\/\/thehackernews.com\/2026\/03\/north-korean-hackers-publish-26-npm.html\">Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>North Korean Hackers Publish 26 npm Packages Hiding Pastebin C2 for Cross-Platform RAT https:\/\/thehackernews.com\/2026\/03\/north-korean-hackers-publish-26-npm.html Publish&#8230;<\/p>\n","protected":false},"author":1,"featured_media":220413,"comment_status":"closed","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEhB4nJ8ODWGAqDEjQl4cCSKOtIJoGood2beXae5mc7MKzZbAYl1Ij2AX0L3CNCuUc4R4TL-DOR6bIHU6yzHfoFir_gl6jbUf_0w69pGg3tsXI92smKf02pmQPqkbyBs-eOUp0SqdGSrBH68os3R2lkTDGvGpi3R3-EThgOy_ATJKTXVqr0_ug-otA6FkeAo\/s1600\/npm.jpg","fifu_image_alt":"","footnotes":""},"categories":[15],"tags":[24,32],"class_list":["post-220412","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cybersecurity","tag-cybersecurity","tag-malware"],"_links":{"self":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/220412"}],"collection":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/comments?post=220412"}],"version-history":[{"count":1,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/220412\/revisions"}],"predecessor-version":[{"id":220414,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/220412\/revisions\/220414"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/media\/220413"}],"wp:attachment":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/media?parent=220412"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/categories?post=220412"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/tags?post=220412"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}