A new wave of malicious activity linked to North Korea’s long-running “Contagious Interview” campaign has been observed, with the threat actor publishing 26 malicious packages to the npm registry. The new operation, tracked by Socket and security researcher Kieran Miyamoto as “StegaBin,” has been attributed to a North Korean threat cluster known as Famous Chollima.
According to researchers, the malicious npm packages masquerade as legitimate developer utilities but contain hidden functionality designed to retrieve command-and-control (C&C) infrastructure using Pastebin as a dead drop resolver. The infrastructure itself is hosted across 31 deployments on the Vercel platform.
Each of the 26 packages includes an “install.js” script that automatically executes during installation. The script launches a malicious payload embedded in “vendor/scrypt-js/version.js.” The packages list the authentic libraries they typosquat as dependencies.
The payload acts as a text steganography decoder. It fetches content from a Pastebin URL that appears to host harmless computer science essays. However, specific characters at evenly spaced positions within the text have been altered to encode hidden C&C addresses.
Once decoded, the malware contacts the C&C domains to retrieve platform-specific payloads for Windows, macOS, and Linux. One of the domains (ext-checkdin.vercel[.]app) was observed delivering a shell script that downloads a remote access trojan (RAT). The malware establishes communication with a remote server, where it awaits further instructions.
The malware includes nine distinct modules, allowing it to establish persistence in Microsoft Visual Studio Code, perform keylogging and clipboard theft, harvest browser credentials, scan for exposed secrets using TruffleHog, and exfiltrate Git repositories and SSH keys.
“The StegaBin campaign is a new iteration of the techniques used by the FAMOUS CHOLLIMA / Contagious Interview threat actors. While previous waves of the Contagious Interview campaign relied on relatively straightforward malicious scripts and Bitbucket-hosted payloads, this latest iteration demonstrates a concerted effort to bypass both automated detection and human review,” the report notes. “The use of character-level steganography on Pastebin and multi-stage Vercel routing point to an adversary that is refining its evasion techniques and attempting to make its operations more resilient.”