New Delhi | Cybersecurity researchers have issued a warning about a new threat campaign allegedly linked to North Korean hacker groups, claiming that 26 suspicious npm packages were published to target the developer community. The packages were reportedly disguised as legitimate development tools but contained hidden mechanisms designed to establish communication with remote command-and-control (C2) servers.
Security analysts said the operation may be a new variant of the ongoing “Contagious Interview” cyber campaign. In this version, attackers are believed to have used Pastebin-based steganography techniques to conceal malicious infrastructure addresses within seemingly harmless text files.
FCRF Launches Flagship Certified Fraud Investigator (CFI) Program
The investigation suggests that the 26 packages were uploaded to the npm registry and designed to appear as standard development utilities. Researchers claimed that typosquatting methods were also used, where package names were created to closely resemble popular legitimate libraries in an attempt to trick developers into accidental installation.
Experts said such naming strategies could potentially bypass automated security scanning systems and manual review processes by exploiting human error and trust assumptions in software supply chains.
Each package reportedly contained an installation script that activated automatically once the package was downloaded. The script executed a suspicious payload located in a file named “vendor/scrypt-js/version.js”. The payload was designed to read Pastebin content and decode hidden C2 server addresses.
Security researchers stated that the Pastebin documents appeared to be normal computer science essays, but contained steganographically embedded network information. The decoding algorithm reportedly removed zero-width Unicode characters, read a five-digit length marker at the beginning of the text, and extracted characters at evenly spaced positions to reconstruct the actual list of server domains.
The malware was designed for cross-platform operation. According to the report, decoded domains were capable of delivering separate payloads for Windows, macOS and Linux systems. A suspicious domain, “ext-checkdin.vercel.app”, was reportedly used as a shell script server to trigger the RAT module.
Analysts said the trojan used WebSocket-based communication to connect with servers such as 103.106.67.63:1244 and 103.106.67.63:1247 to receive real-time commands. The malware allegedly contained nine functional modules capable of data exfiltration and system control.
The primary modules reportedly included VS Code persistence mechanisms, keylogging and clipboard monitoring, browser credential harvesting, and cryptocurrency wallet extension targeting. The malware was also said to employ TruffleHog scanning techniques to locate developer secrets stored in repositories.
Researchers believe the campaign uses a multi-stage delivery architecture to avoid detection. Character-level Pastebin steganography combined with cloud infrastructure hosted on Vercel was reportedly used to make tracking and forensic analysis more difficult.
The activity has been tentatively associated with the North Korea-linked threat cluster known as Famous Chollima, although no official confirmation has been provided by authorities.
Security experts advised developers to carefully verify the source of npm packages before installation and avoid downloading unnecessary libraries. Authorities are also monitoring supply-chain attack vectors as such operations can lead to large-scale data breaches. The investigation into the suspected campaign is ongoing.
About the author — Suvedita Nath is a science student with a growing interest in cybercrime and digital safety. She writes on online activity, cyber threats, and technology-driven risks. Her work focuses on clarity, accuracy, and public awareness.
