North Korean threat actor Famous Chollima, associated with the notorious Lazarus Group, has launched a new cyber assault campaign known as ‘StegaBin.’ This campaign involves the deployment of 26 malicious npm packages that are designed to steal sensitive information from developer environments using advanced techniques.
The StegaBin campaign employs a method called typosquatting, where malicious packages are named similarly to popular npm libraries, deceiving developers into unintentionally installing them. These packages further complicate detection by using Pastebin steganography, hiding command and control (C2) infrastructure within otherwise benign-looking text.
Upon installation, the packages initiate a multi-stage infection process. An installation script decodes hidden C2 URLs, retrieves platform-specific shell payloads, and installs a Remote Access Trojan (RAT) along with a sophisticated nine-module infostealer toolkit. These tools target various sensitive assets including:
<ul>
<li>SSH keys</li>
<li>Git credentials</li>
<li>Browser credential stores</li>
<li>Cryptocurrency wallet extensions</li>
<li>VSCode configurations (using whitespace-hidden persistence)</li>
<li>Clipboard and keylogging activities</li>
<li>TruffleHog secret scanning</li>
<li>Comprehensive filesystem searches for sensitive files</li>
</ul>
The inclusion of Hardhat as a dependency underscores the targeting of Web3 and blockchain developers, with a focus on cryptocurrency theft. The campaign shows significant advancement from earlier operations, such as the Contagious Interview campaign, with enhancements like RC4 encryption for improved evasion, control flow flattening, and multi-stage routing over Vercel deployments.
Remarkably, Socket’s AI-powered threat detection system was able to identify all 26 malicious packages within six minutes of their publication, indicating the growing sophistication in cybersecurity measures against such threats. These developments highlight the ongoing cyber threats posed by state-sponsored groups and the pressing need for vigilance in software supply chain security.

Collections

North Korean threat actor Famous Chollima (Lazarus Group) has deployed 26 malicious npm packages in a campaign dubbed 'StegaBin.' The packages use typosquatting to impersonate popular libraries and employ Pastebin steganography to hide C2 infrastructure. Once installed, they trigger a multi-stage infection chain that installs a RAT and a nine-module infostealer targeting SSH keys, Git credentials, browser credentials, crypto wallet extensions, VSCode configs, clipboard/keylogging data, and more. The campaign specifically targets Web3 and blockchain developers via a Hardhat dependency. Improvements over prior operations include RC4 encryption, control flow flattening, and multi-stage routing via Vercel. Socket's AI detection flagged all 26 packages within six minutes of publication.

North Korean 'StegaBin' Campaign: Malicious npm Packages Targeting Developers

Thanks, it would be good to know actionable recommendations to take into consideration by software development teams, tech companies and organizations in general that have internal dev teams.