top of page
perceptive_background_267k.jpg

North Korean Hackers Publish 26 npm Packages Hiding Pastebin C2 for Cross-Platform RAT

Published:

2 March 2026 at 08:44:00

Alert date:

2 March 2026 at 10:01:23

Source:

thehackernews.com

Click to open the original link from this advisory

Supply Chain & Dependencies, Ransomware & Malware, Data Breach & Exfiltration

North Korean threat actors have published 26 malicious packages to the npm registry as part of the ongoing Contagious Interview campaign. The packages masquerade as developer tools but contain functionality to extract command-and-control (C2) information using Pastebin content as a dead drop resolver. This represents a new iteration of the campaign targeting the software supply chain through compromised npm packages.

Technical details

North Korean threat actors published 26 malicious npm packages as part of the StegaBin campaign, a new iteration of the Contagious Interview campaign. The packages masquerade as developer tools and contain install scripts that execute malicious payloads. They use steganography to hide C2 URLs within seemingly innocent Pastebin computer science essays, extracting characters at evenly-spaced positions to decode infrastructure addresses. The malware deploys cross-platform RATs for Windows, macOS, and Linux, with nine modules for VS Code persistence, keylogging, clipboard theft, browser credential harvesting, TruffleHog secret scanning, and Git repository exfiltration. The C2 infrastructure is hosted on Vercel across 31 deployments.

Mitigation steps:

Monitor npm packages for typosquatted legitimate packages that declare the real package as a dependency. Check for packages with install scripts that execute automatically during installation. Be cautious of packages that contact external URLs during installation. Scan for the listed malicious npm packages in your environment. Monitor for connections to the identified C2 infrastructure. Review VS Code configurations for malicious tasks.json files. Implement monitoring for steganographic communication patterns in Pastebin or similar services.

Affected products:

npm registry
Microsoft Visual Studio Code
Google Chrome
Brave Browser
Firefox
Opera
Microsoft Edge
MetaMask
Phantom
Coinbase Wallet
Binance
Trust Wallet
Exodus
Keplr
iCloud Keychain

Related links:

https://thehackernews.com/2026/02/fake-nextjs-repos-target-developers.html
https://kmsec.uk/blog/dprk-text-steganography/
https://socket.dev/blog/stegabin-26-malicious-npm-packages-use-pastebin-steganography
https://github.com/trufflesecurity/trufflehog
https://kmsec.uk/blog/dprk-gdrive-stager/

Related CVE's:

Related threat actors:

IOC's:

argonist@0.41.0, bcryptance@6.5.2, bee-quarl@2.1.2, bubble-core@6.26.2, corstoken@2.14.7, daytonjs@1.11.20, ether-lint@5.9.4, expressjs-lint@5.3.2, fastify-lint@5.8.0, formmiderable@3.5.7, hapi-lint@19.1.2, iosysredis@5.13.2, jslint-config@10.22.2, jsnwebapptoken@8.40.2, kafkajs-lint@2.21.3, loadash-lint@4.17.24, mqttoken@5.40.2, prism-lint@7.4.2, promanage@6.0.21, sequelization@6.40.2, typoriem@0.4.17, undicy-lint@7.23.1, uuindex@13.1.0, vitetest-lint@4.1.21, windowston@3.19.2, zoddle@4.4.2, express-core-validator, ext-checkdin.vercel[.]app, 103.106.67[.]63:1244, 103.106.67[.]63:1247, install.js, vendor/scrypt-js/version.js

This article was created with the assistance of AI technology by Perceptive.

About us

© 2025 by Perceptive Security. All rights reserved.

email: info@perceptivesecurity.com

Disclaimer: Deze website toont informatie afkomstig van externe bronnen. Perceptive aanvaardt geen verantwoordelijkheid voor de inhoud, juistheid of volledigheid van deze informatie.

bottom of page