North Korean “StegaBin” Supply Chain Attack via 26 Malicious npm Packages

Cybersecurity researchers have uncovered a new wave of supply-chain attacks attributed to North Korean state aligned threat actors, involving the publication of 26 malicious npm packages posing as legitimate developer tools. The campaign tracked as “StegaBin”, uses Pastebin based steganography to conceal command and control (C2) endpoints and ultimately deploy credential stealers and a cross platform remote access trojan (RAT). The infrastructure supporting these operations spans 31 Vercel deployments, highlighting a sophisticated and evolving threat to the global software supply chain.

Threat Actor -

• The campaign is linked to North Korean threat activity cluster “Famous Chollima.”
• The operation aligns with previously observed North Korean tactics involving supply-chain infiltration and developer-targeted malware.
• Masquerades as a legitimate developer utility
• Includes a malicious install.js script that autoexecutes upon installation
• Typosquats real packages to appear trustworthy

Technical Details -

Malicious npm Packages

Researchers identified 26 npm packages including argonist, bcryptance, bubble-core, expressjs-lint, fastify-lint, mqttoken, sequelization, and others. Each package:

• Masquerades as a legitimate developer utility
• Includes a malicious install.js script that auto executes upon installation
• Typosquats real packages to appear trustworthy

Payload Delivery Mechanism

The malicious workflow involves:

1. Install-time execution of a payload from vendor/scrypt-js/version.js
2. Steganographic retrieval of C2 URLs from Pastebin posts—benign looking essays containing hidden characters at calculated positions
3. Decoding logic that:
   • Removes zero width Unicode characters
   • Reads a 5 digit length marker
   • Extracts characters at evenly spaced intervals to reconstruct C2 addresses

Command and Control Infrastructure

• C2 infrastructure hosted across 31 Vercel deployments
• Pastebin posts act as deaddrop resolvers, concealing downstream malicious service locations

Malware Capabilities

The deployed malware includes:

• Credential stealers targeting developer environments
• Crossplatform RATs (Windows/macOS/Linux)
• Modules enabling:
  • Keylogging
  • Credential extraction
  • Persistent access
  • Exploitation of tools like Visual Studio Code
• Compromise of developer workstations, granting attackers access to sensitive credentials, tokens, API keys
• Propagation of tainted code into downstream applications, creating secondary infection paths
• Cross environment persistence due to the cross-platform nature of the RAT
• Increased difficulty in detection due to:
  • Legitimate looking package names
  • Normal build process execution pathways

Impact -

This campaign presents a significant software supplychain threat, particularly to developers and organisations heavily reliant on npm-based tooling:

Risks

Indicators of Compromise –

Malicious Packages

The list of the malicious npm packages is as follows -

Infrastructure Indicators

• Pastebin URLs containing hidden C2 markers
• Vercel-hosted malicious apps (31 deployments)
• Audit all npm dependencies across projects for the listed malicious packages
• Remove and quarantine any instances of the identified packages
• Rotate credentials used within affected development environments
• Conduct endpoint scans for:
  • install.js auto-execution traces
  • vendor/scrypt-js/version.js payload activity
• Require developer workstation monitoring for abnormal outbound connections (e.g., to Pastebin, Vercel deployments)

Recommended Mitigations

If you are worried about any of the threats outlined in this bulletin or need help in determining what steps you should take to protect yourself from the most material threats facing your organisation, please contact your account manager, or alternatively Get in touch to find out how you can protect your organisation.