North Korean Hackers Publish 26 npm Packages Hiding Pastebin C2 for Cross-Platform RAT

North Korean threat actors have published 26 malicious npm packages that use steganography to hide command-and-control infrastructure, delivering a sophisticated cross-platform RAT capable of stealing credentials, browser data, and developer secrets.

Cybersecurity researchers have uncovered a sophisticated supply chain attack where North Korean threat actors published 26 malicious packages to the npm registry, marking a new evolution in the ongoing Contagious Interview campaign. The packages, tracked under the moniker StegaBin, masquerade as legitimate developer tools while harboring a complex malware infrastructure designed to steal credentials and establish remote access to infected systems.

The Steganographic Deception

The malicious packages employ an innovative technique to hide their command-and-control infrastructure. Rather than using obvious malicious code, the attackers embed C2 URLs within seemingly harmless Pastebin content using character-level steganography. As Socket researchers Philipp Burckhardt and Peter van der Zee explained, "The loader extracts C2 URLs steganographically encoded within three Pastebin pastes, innocuous computer science essays in which characters at evenly-spaced positions have been replaced to spell out hidden infrastructure addresses."

This approach makes the malware significantly harder to detect, as the Pastebin content appears to be legitimate educational material about computer science. The decoder strips zero-width Unicode characters, reads a 5-digit length marker, calculates evenly-spaced character positions throughout the text, and extracts characters at those positions to produce an array of C2 domain names.

The 26 Malicious Packages

The following packages were identified as part of this campaign:

All packages contain an install script ("install.js") that automatically executes during package installation, running the malicious payload located in "vendor/scrypt-js/version.js." Notably, each package explicitly declares the legitimate package it's typosquatting as a dependency, likely to appear more credible to developers.

Multi-Platform Malware Infrastructure

Once installed, the malware establishes a comprehensive intelligence collection suite with nine distinct modules:

VS Code Persistence (vs module): Creates a malicious tasks.json file that triggers every time a project is opened in VS Code using the "folderOpen" trigger, ensuring persistent access.

Keylogging and Clipboard Theft (clip module): Acts as a keylogger, mouse tracker, and clipboard stealer with active window tracking, exfiltrating data every 10 minutes.

Browser Credential Harvesting (bro module): A Python payload targeting browser credential stores across multiple platforms.

Cryptocurrency Theft (j module): A Node.js module targeting Google Chrome, Brave, Firefox, Opera, and Microsoft Edge, along with extensions like MetaMask, Phantom, Coinbase Wallet, Binance, Trust, Exodus, and Keplr. On macOS, it also targets the iCloud Keychain.

File System Enumeration (z module): Scans the file system and steals files matching predefined patterns.

Remote Access Trojan (n module): Establishes a persistent WebSocket connection to 103.106.67[.]63:1247, allowing real-time remote control and FTP-based data exfiltration.

Secret Scanning (truffle module): Downloads the legitimate TruffleHog secrets scanner to discover and exfiltrate developer secrets.

Git Repository Theft (git module): Collects files from .ssh directories, extracts Git credentials, and scans repositories.

Persistence Mechanism (sched module): Redeploys the initial payload as a persistence mechanism.

Attribution and Campaign Context

The campaign is attributed to a North Korean threat activity cluster known as Famous Chollima, which has been actively targeting developers through supply chain attacks. The C2 infrastructure is hosted on Vercel across 31 deployments, demonstrating the attackers' sophistication in using legitimate cloud services to host malicious infrastructure.

This represents an evolution from previous Contagious Interview campaign tactics, which relied on more straightforward malicious scripts and Bitbucket-hosted payloads. The use of character-level steganography on Pastebin and multi-stage Vercel routing indicates an adversary refining its evasion techniques to make operations more resilient against detection.

Recent Developments

In addition to the 26 packages, researchers have observed Famous Chollima publishing malicious npm packages like "express-core-validator" to fetch next-stage JavaScript payloads hosted on Google Drive. According to Kieran Miyamoto from kmsec.uk, "Only a single package has been published with this new technique. It is likely Famous Chollima will continue to leverage multiple techniques and infrastructure to deliver follow-on payloads."

Protection and Detection

Organizations should implement the following measures to protect against this threat:

Package Verification: Implement strict package verification processes and avoid installing packages with suspicious naming patterns or unexpected install scripts.
Network Monitoring: Monitor for connections to known malicious domains and unusual patterns of communication with Pastebin or Vercel services.
Endpoint Detection: Deploy EDR solutions capable of detecting the specific malware modules and their behaviors.
Developer Education: Train developers to recognize typosquatting attempts and suspicious package characteristics.
Supply Chain Security: Use tools like Socket that can detect malicious packages before installation.

This campaign demonstrates the evolving sophistication of North Korean cyber operations, particularly their focus on targeting the software development supply chain to gain access to valuable intellectual property and credentials. The combination of steganography, legitimate cloud infrastructure, and multi-platform malware makes this a particularly challenging threat to detect and mitigate.

#npm #Supply Chain #Steganography #Malware #C2