Socket uncovered 26 malicious npm packages tied to North Korea's Contagious Interview campaign, retrieving a live 9-module infostealer and RAT from th...

Socket

Socket's threat research team uncovered 26 malicious npm packages linked to North Korea's FAMOUS CHOLLIMA (Lazarus Group) Contagious Interview campaign. Dubbed 'StegaBin,' the packages use character-level steganography hidden inside Pastebin essays to conceal C2 infrastructure across 31 Vercel deployments. The infection chain is multi-stage: a typosquatted package triggers an install script, which decodes hidden C2 URLs, fetches platform-specific shell payloads, and ultimately installs a RAT plus a 9-module infostealer toolkit. The modules target VSCode configs (whitespace-hidden persistence), SSH keys, Git credentials, browser credential stores, cryptocurrency wallet extensions (86 hardcoded IDs), clipboard/keylogging, TruffleHog secret scanning, and broad filesystem sweeps for sensitive files. The presence of Hardhat as a dependency confirms Web3 and blockchain developers as primary targets. All 26 packages were detected within six minutes of publication by Socket's AI-powered system.

StegaBin: 26 Malicious npm Packages Use Pastebin Steganograp...

The Payload: A 9-Module Infostealer Toolkit #

Module 2 — Keylogger + Clipboard Stealer ( clip ) #

Module 4 — Crypto Wallet Stealer ( j ) #

Module 5 — Sensitive File Search & Exfiltration RAT ( z ) #

Module 6 — Sensitive File Search & Exfiltration ( n ) #

Module 7 — TruffleHog Secret Scanner ( truffle ) #

Module 8 — Git Repository + SSH Key Theft ( git ) #