Cybersecurity researchers have uncovered a fresh wave of the ongoing Contagious Interview campaign, revealing that North Korean threat actors uploaded 26 malicious packages to the npm registry. These packages were disguised as legitimate developer utilities but secretly delivered credential stealing malware and a cross platform remote access trojan, RAT.
The activity, tracked by Socket and security researcher Kieran Miyamoto of kmsec.uk, is being monitored under the name StegaBin. The campaign has been attributed to a North Korean threat cluster known as Famous Chollima.
Pastebin Used as a Stealth C2 Resolver
Unlike traditional malware campaigns that embed command and control addresses directly in malicious code, this operation relied on text based steganography.
The malicious npm packages contained an install script, install.js, which executed automatically during installation. That script triggered a payload stored in vendor/scrypt-js/version.js.
Instead of hardcoding C2 infrastructure, the malware contacted Pastebin pages that appeared to contain harmless computer science essays. Hidden within those essays were command and control URLs, encoded by altering characters at evenly spaced positions.
Researchers explained that the decoder removes zero width Unicode characters, reads a five digit length marker, calculates evenly spaced character positions, and extracts those characters. The extracted string is then split using a ||| delimiter and terminated by ===END=== to form a list of C2 domains.
The decoded infrastructure pointed to Vercel hosted servers, spread across 31 deployments, making takedown and detection more difficult.
Malicious npm Packages Identified
The following npm packages were identified as malicious:
- argonist@0.41.0
- bcryptance@6.5.2
- bee-quarl@2.1.2
- bubble-core@6.26.2
- corstoken@2.14.7
- daytonjs@1.11.20
- ether-lint@5.9.4
- expressjs-lint@5.3.2
- fastify-lint@5.8.0
- formmiderable@3.5.7
- hapi-lint@19.1.2
- iosysredis@5.13.2
- jslint-config@10.22.2
- jsnwebapptoken@8.40.2
- kafkajs-lint@2.21.3
- loadash-lint@4.17.24
- mqttoken@5.40.2
- prism-lint@7.4.2
- promanage@6.0.21
- sequelization@6.40.2
- typoriem@0.4.17
- undicy-lint@7.23.1
- uuindex@13.1.0
- vitetest-lint@4.1.21
- windowston@3.19.2
- zoddle@4.4.2
Each package declared the legitimate library it was typosquatting as a dependency, likely to appear authentic to developers and automated scanners.
Multi Platform Payload Delivery
After decoding the infrastructure, the malware contacted domains such as ext-checkdin.vercel[.]app to retrieve platform specific payloads targeting Windows, macOS, and Linux systems.
One observed domain delivered a shell script that fetched a full RAT component. The trojan then connected to 103.106.67[.]63:1244 for instructions. Through this channel, attackers could change directories, execute shell commands, and deploy a comprehensive intelligence collection toolkit.
A separate persistent WebSocket connection to 103.106.67[.]63:1247 enabled real time remote control and FTP based data exfiltration.
Modular Intelligence Collection Framework
The RAT included nine separate modules designed for developer espionage:
- vs module created a malicious tasks.json file in the VS Code configuration directory. It leveraged the runOn folderOpen trigger to contact attacker infrastructure whenever a project was opened.
- clip module functioned as a keylogger, mouse tracker, and clipboard stealer, exfiltrating data every ten minutes.
- bro module was a Python script targeting browser credential stores.
- j module was a Node.js component that targeted browsers such as Chrome, Brave, Firefox, Opera, and Edge, along with cryptocurrency wallet extensions including MetaMask, Phantom, Coinbase Wallet, Binance, Trust, Exodus, and Keplr. On macOS, it also targeted iCloud Keychain.
- z module scanned the file system for sensitive file patterns.
- n module acted as a remote access trojan, enabling full host control.
- truffle module downloaded the legitimate TruffleHog scanner from GitHub to identify and steal secrets from repositories.
- git module harvested SSH keys, Git credentials, and repository data.
- sched module reused the original loader file as a persistence mechanism.
Advanced Evasion Techniques
Security experts noted that this iteration shows a clear evolution in the group’s tactics. Earlier Contagious Interview waves relied on simpler malicious scripts and Bitbucket hosted payloads. This version demonstrates deliberate attempts to bypass automated detection systems and manual code review.
By combining Pastebin steganography with multi stage routing through Vercel, the attackers significantly increased operational resilience.
Researchers also observed additional malicious npm packages such as express-core-validator that retrieved second stage payloads from Google Drive. Analysts believe Famous Chollima will continue using diverse infrastructure and techniques rather than completely changing their npm stager behavior.
Found this article interesting? Follow us on X (Twitter) , Facebook, Blue sky and LinkedIn to read more exclusive content we post.
