Threat Overview
On March 3, 2026, the research team at CODERED_VTA released a detailed threat bulletin exposing a new campaign by a North Korean threat actor group, informally dubbed FAMOUS CHOLLIMA. The actors have moved beyond traditional malware vectors and have begun weaponizing the open‑source JavaScript ecosystem, specifically npm packages, as a primary delivery mechanism for steganography‑based malware. This report dissects the TTPs, IOCs, and provides actionable guidance for security analysts and organizations to detect, mitigate, and defend against this evolving threat.
Malicious npm Packages
Between February 25 and 26, 2026, a total of seventeen npm packages were identified as malicious. Each package contained a malicious install.js script that overrides npm’s default installation process. When a user runs npm install, this script executes automatically, importing a heavily obfuscated JavaScript file located at vendor/scrypt-js/version.js. The file’s SHA‑256 hash is da1775d0fbe99fbc35b6f0b4a3a3cb84da3ca1b2c1bbac0842317f6f804e30a4. The script functions as a loader, fetching three Pastebin URLs, decoding hidden payloads, and resolving a list of command‑and‑control (C2) domains.
Steganographic Extraction of C2 URLs
The loader retrieves raw Pastebin content from the following links:
- https://pastebin.com/CJ5PrtNk
- https://pastebin.com/0ec7i68M
- https://pastebin.com/DjDCxcsT
Each paste contains intentional typographical errors. A custom decoder extracts specific characters from the text, producing an array of 32 vercel‑hosted domains. The first domain in the list, ext-checkdin.vercel.app, is the primary C2 server; the remaining domains act as fallbacks to ensure persistence if the primary domain is taken down. The malware contacts each domain in turn, downloading a platform‑specific payload via distinct API endpoints: /api/l for Linux, /api/m for macOS, and /api/w for Windows. The retrieved payloads are benign‑looking scripts that download an additional trojan binary and execute it silently.
Infection Chain

- npm Package Installation – A user installs a compromised package.
2. Install Script Execution – The script triggers the maliciousversion.js.
3. Pastebin Retrieval – The script fetches Pastebin content and decodes C2 URLs.
4. C2 Contact – The malware queries the first vercel domain for a payload.
5. Payload Download – The platform‑specific script downloads the final trojan binary.
6. Execution – Binary runs silently, establishing persistence, collecting credentials, and exfiltrating data.
Indicators of Compromise
File Hashes – da1775d0fbe99fbc35b6f0b4a3a3cb84da3ca1b2c1bbac0842317f6f804e30a4 (vendor/scrypt-js/version.js)
Registry Keys – Windows machines may show HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Parse pointing to a temporary file.
Network Artifacts – DNS queries to pastebin.com or vercel.app domains during npm install.
Process Patterns – Node.js process spawning curl or wget with a user agent of curl/7.68.0 or wget/1.20.3.
Detection & Hunting Guidance
Security analysts should focus on the following heuristics:
- Monitor npm install events for anomalous
install.jsscripts. - Inspect outbound DNS traffic for patterns matching Pastebin or vercel domains.
- Detect child processes spawned by Node.js that execute
curlorwgetwith a silent flag or without a user agent. - Scan Windows registry for entries created by the trojan under
Runkeys.
Mitigation Recommendations
- Supply Chain Hardening – Employ npm audit, lockfile verification, and package provenance checks; use package signing and verify checksums before installation.
2. Network Segmentation – Restrict internet access for development environments to approved mirrors; block direct Pastebin access via firewall rules.
3. Endpoint Detection – Deploy EDR solutions that flag Node.js processes performing unapproved network calls or executingcurl/wgetwith no user agent.
4. Patch Management – Keep all systems, especially Node.js runtime, up to date with the latest security patches.
5. Zero‑Trust Development Practices – Adopt strict code reviews, use trusted third‑party libraries, and enforce least‑privilege for development accounts.
Conclusion
FAMOUS CHOLLIMA’s rapid iteration of novel loading techniques demonstrates a high level of sophistication and adaptability. By leveraging the npm ecosystem and steganographic encoding, the group can deliver malware with a high degree of stealth. Security teams must remain vigilant, adopt comprehensive supply‑chain security measures, and continuously monitor for the IOCs outlined in this report to mitigate potential compromises.

