North Korean Actors Abuse npm Ecosystem With Steganography Based Malware

Threat Overview

On March 3, 2026, the research team at CODERED_VTA released a detailed threat bulletin exposing a new campaign by a North Korean threat actor group, informally dubbed FAMOUS CHOLLIMA. The actors have moved beyond traditional malware vectors and have begun weaponizing the open‑source JavaScript ecosystem, specifically npm packages, as a primary delivery mechanism for steganography‑based malware. This report dissects the TTPs, IOCs, and provides actionable guidance for security analysts and organizations to detect, mitigate, and defend against this evolving threat.

Malicious npm Packages

Between February 25 and 26, 2026, a total of seventeen npm packages were identified as malicious. Each package contained a malicious install.js script that overrides npm’s default installation process. When a user runs npm install, this script executes automatically, importing a heavily obfuscated JavaScript file located at vendor/scrypt-js/version.js. The file’s SHA‑256 hash is da1775d0fbe99fbc35b6f0b4a3a3cb84da3ca1b2c1bbac0842317f6f804e30a4. The script functions as a loader, fetching three Pastebin URLs, decoding hidden payloads, and resolving a list of command‑and‑control (C2) domains.

Steganographic Extraction of C2 URLs

The loader retrieves raw Pastebin content from the following links:

  • https://pastebin.com/CJ5PrtNk
  • https://pastebin.com/0ec7i68M
  • https://pastebin.com/DjDCxcsT

Each paste contains intentional typographical errors. A custom decoder extracts specific characters from the text, producing an array of 32 vercel‑hosted domains. The first domain in the list, ext-checkdin.vercel.app, is the primary C2 server; the remaining domains act as fallbacks to ensure persistence if the primary domain is taken down. The malware contacts each domain in turn, downloading a platform‑specific payload via distinct API endpoints: /api/l for Linux, /api/m for macOS, and /api/w for Windows. The retrieved payloads are benign‑looking scripts that download an additional trojan binary and execute it silently.

Infection Chain

Infection Chain Diagram

  1. npm Package Installation – A user installs a compromised package.
    2. Install Script Execution – The script triggers the malicious version.js.
    3. Pastebin Retrieval – The script fetches Pastebin content and decodes C2 URLs.
    4. C2 Contact – The malware queries the first vercel domain for a payload.
    5. Payload Download – The platform‑specific script downloads the final trojan binary.
    6. Execution – Binary runs silently, establishing persistence, collecting credentials, and exfiltrating data.

Indicators of Compromise

File Hashesda1775d0fbe99fbc35b6f0b4a3a3cb84da3ca1b2c1bbac0842317f6f804e30a4 (vendor/scrypt-js/version.js)
Registry Keys – Windows machines may show HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Parse pointing to a temporary file.
Network Artifacts – DNS queries to pastebin.com or vercel.app domains during npm install.
Process Patterns – Node.js process spawning curl or wget with a user agent of curl/7.68.0 or wget/1.20.3.

Detection & Hunting Guidance

Security analysts should focus on the following heuristics:

  • Monitor npm install events for anomalous install.js scripts.
  • Inspect outbound DNS traffic for patterns matching Pastebin or vercel domains.
  • Detect child processes spawned by Node.js that execute curl or wget with a silent flag or without a user agent.
  • Scan Windows registry for entries created by the trojan under Run keys.

Mitigation Recommendations

  1. Supply Chain Hardening – Employ npm audit, lockfile verification, and package provenance checks; use package signing and verify checksums before installation.
    2. Network Segmentation – Restrict internet access for development environments to approved mirrors; block direct Pastebin access via firewall rules.
    3. Endpoint Detection – Deploy EDR solutions that flag Node.js processes performing unapproved network calls or executing curl/wget with no user agent.
    4. Patch Management – Keep all systems, especially Node.js runtime, up to date with the latest security patches.
    5. Zero‑Trust Development Practices – Adopt strict code reviews, use trusted third‑party libraries, and enforce least‑privilege for development accounts.

Conclusion

FAMOUS CHOLLIMA’s rapid iteration of novel loading techniques demonstrates a high level of sophistication and adaptability. By leveraging the npm ecosystem and steganographic encoding, the group can deliver malware with a high degree of stealth. Security teams must remain vigilant, adopt comprehensive supply‑chain security measures, and continuously monitor for the IOCs outlined in this report to mitigate potential compromises.

Looking for the Best Cyber Security?

Seamlessly integrate local and cloud resources with our comprehensive cybersecurity services. Protect user traffic at endpoints using advanced security solutions like threat hunting and endpoint protection. Build a scalable network infrastructure with continuous monitoring, incident response, and compliance assessments.

Contact Us

Copyright © 2025 ESSGroup

Discover more from ESSGroup

Subscribe now to keep reading and get access to the full archive.

Continue reading