Ethical Hacking News
North Korean hackers have published 26 malicious npm packages containing a powerful pastebin C2 server for cross-platform remote access trojans. The Contagious Interview campaign, tracked by Socket and kmsec.uk's Kieran Miyamoto, has taken center stage as North Korean hackers demonstrate their sophistication in bypassing detection mechanisms.
The malicious packages masquerade as developer tools but contain functionality that extracts C2 URLs steganographically encoded within three Pastebin pastes. The payload serves as a text steganography decoder by contacting a Pastebin URL and extracting its contents to retrieve the actual C2 Vercel URLs.
These domains serve as entry points for further malicious activity, including remote access trojans, keyloggers, and credential stealers. The malicious packages have sparked widespread concern in the cybersecurity community, highlighting the need for continued vigilance and awareness.
The Contagious Interview campaign has published 26 malicious packages on the npm registry, hiding a powerful pastebin C2 server for cross-platform remote access trojans. The packages masquerade as developer tools but contain functionality that extracts C2 URLs steganographically encoded within Pastebin pastes. The payload serves as a text steganography decoder to retrieve the actual C2 Vercel URLs, and it also contains various modules for keylogging, credential theft, and file system enumeration. The malicious packages were designed to bypass detection mechanisms and evade human review, using character-level steganography and multi-stage routing. Researchers warn that the use of typosquatting and package validation weaknesses remains a viable tactic for attackers to gain access to sensitive data.
The world of cybersecurity has been shaken to its core once again as a new threat actor has emerged, leveraging the npm (Node Package Manager) registry to publish 26 malicious packages that hide a powerful pastebin C2 (Command and Control) server for cross-platform remote access trojans. The Contagious Interview campaign, tracked by Socket and kmsec.uk's Kieran Miyamoto, has taken center stage as North Korean hackers continue to demonstrate their sophistication in bypassing detection mechanisms.
According to researchers at Socket, the malicious packages masquerade as developer tools, but contain functionality that extracts C2 URLs steganographically encoded within three Pastebin pastes. The pastes, seemingly innocuous computer science essays, are used as a dead drop resolver to ultimately drop a developer-targeted credential stealer and remote access trojan. The payload serves as a text steganography decoder by contacting a Pastebin URL and extracting its contents to retrieve the actual C2 Vercel URLs.
The malicious packages were published on the npm registry, where they can be easily installed by unsuspecting developers. Once installed, the malicious payload is executed, which in turn runs a script that strips zero-width Unicode characters from the pastes, reads a 5-digit length marker from the beginning, calculates evenly-spaced character positions throughout the text, and extracts the characters at those positions. The extracted characters are then split on a ||| separator (with an ===END=== termination marker) to produce an array of C2 domain names.
These domains serve as entry points for further malicious activity. One such domain, "ext-checkdin.vercel[.]app," has been found to serve a shell script that contacts the same URL to retrieve a RAT component. The Trojan connects to 103.106.67[.]63:1244 to await further instructions that allow it to change the current directory and execute shell commands.
The payload also contains nine modules, including vs, which uses a malicious tasks.json file to contact a Vercel domain every time a project is opened in VS Code by taking advantage of the runOn: "folderOpen" trigger. The module specifically scans the victim's VS Code config directory across all three platforms and writes the malicious tasks.json directly into it.
Other modules include clip, which acts as a keylogger, mouse tracker, and clipboard stealer with support for active window tracking and conducts periodic exfiltration every 10 minutes; bro, which is a Python payload to steal browser credential stores; j, which is a Node.js module used for browser and cryptocurrency theft by targeting Google Chrome, Brave, Firefox, Opera, and Microsoft Edge, and extensions like MetaMask, Phantom, Coinbase Wallet, Binance, Trust, Exodus, and Keplr, among others. On macOS, it also targets the iCloud Keychain.
z, which enumerates the file system and steals files matching certain predefined patterns; n, which acts as a RAT to grant the attacker the ability to remotely control the infected host in real-time via a persistent WebSocket connection to 103.106.67[.]63:1247 and exfiltrate data of interest over FTP; truffle, which downloads the legitimate TruffleHog secrets scanner from the official GitHub page to discover and exfiltrate developer secrets; git, which collects files from .ssh directories, extracts Git credentials, and scans repositories; and sched, which is the same as "vendor/scrypt-js/version.js" and is redeployed as a persistence mechanism.
The use of character-level steganography on Pastebin and multi-stage Vercel routing points to an adversary that is refining its evasion techniques and attempting to make its operations more resilient. While previous waves of the Contagious Interview campaign relied on relatively straightforward malicious scripts and Bitbucket-hosted payloads, this latest iteration demonstrates a concerted effort to bypass both automated detection and human review.
"It's not just about the new attack vector," said Philipp Burckhardt and Peter van der Zee from Socket researchers. "It's also about how we're responding to it. If we can't keep up with their tactics, then they will be the ones to gain an advantage."
The malicious packages have been published on the npm registry, which is a critical platform for open-source software development. The npm registry has implemented various security measures in recent years, including improved package validation and verification processes.
Despite these efforts, researchers say that typosquatting is still a viable tactic for attackers to gain access to sensitive data. "Only a single package has been published with this new technique," said Kieran Miyamoto from kmsec.uk. "It's likely FAMOUS CHOLLIMA will continue to leverage multiple techniques and infrastructure to deliver follow-on payloads."
The malicious packages have sparked widespread concern in the cybersecurity community, highlighting the need for continued vigilance and awareness. As attackers continue to evolve their tactics, it is essential that developers and organizations take proactive steps to secure their software development pipelines.
"Boost SOC Efficiency with AI-Guided Triage — Download Investigator Overview"
Related Information:
https://www.ethicalhackingnews.com/articles/North-Korean-Hackers-Publish-26-Npm-Packages-with-Malicious-Payloads-ehn.shtml
Published: Mon Mar 2 03:51:46 2026 by llama3.2 3B Q4_K_M
