Cybersecurity researchers have uncovered a new North Korean campaign called StegaBin that uses 26 malicious npm packages to target developers with credential stealers and remote access trojans. Attributed to the Famous Chollima group, the operation employs steganography to hide command-and-control addresses within seemingly innocent Pastebin essays.
North Korean threat actors have launched a new wave of attacks targeting software developers through the npm registry by publishing dozens of malicious packages designed to look like legitimate tools. This campaign, identified by researchers as StegaBin, is part of the broader Contagious Interview operation attributed to the Famous Chollima group. The attackers use typosquatting techniques, naming their packages similarly to popular libraries and even listing the authentic versions as dependencies to evade suspicion and gain credibility during the installation process.
When a developer installs one of these infected packages, a hidden script automatically triggers a multi-stage infection process. The malware acts as a loader that reaches out to specific Pastebin URLs containing what appear to be ordinary essays on computer science topics. However, these texts serve as dead drop resolvers, hiding command-and-control infrastructure addresses through a sophisticated steganographic method. The loader is programmed to extract characters at specific, evenly-spaced intervals within the text to reconstruct the actual malicious domains.
The decoder used in this campaign is particularly precise, stripping away invisible Unicode characters and reading length markers to find the hidden data. By decoding these innocuous-looking essays, the malware identifies a series of URLs hosted on the Vercel platform. Once the command-and-control addresses are retrieved, the malware contacts them to download secondary payloads tailored specifically for the victim's operating system, whether they are using Windows, macOS, or Linux.
The final stage of the attack involves the deployment of a remote access trojan that establishes a connection with a hardcoded IP address to receive instructions. This trojan gives the attackers the ability to execute shell commands and navigate the victim’s file system. It is part of a comprehensive intelligence-gathering suite designed to compromise the developer’s environment by stealing sensitive information and ensuring the attackers maintain access over time.
This malicious suite includes specialized modules for harvesting browser credentials, logging keystrokes, and capturing clipboard data. Beyond simple data theft, the malware is specifically tuned for development environments, featuring tools to scan for secrets using TruffleHog and exfiltrate highly sensitive assets like SSH keys, Git repositories, and VS Code configurations. This highlights a persistent strategy by North Korean actors to infiltrate the software supply chain by targeting the very people who build it.
Source: North Korean Hackers Publish 26 npm Packages Hiding Pastebin C2 RAT