Full Report
Cybersecurity researchers have disclosed a new iteration of the ongoing Contagious Interview campaign, where the North Korean threat actors have published a set of 26 malicious packages to the npm registry. The packages masquerade as developer tools, but contain functionality to extract the actual command-and-control (C2) by using seemingly harmless Pastebin content as a dead drop resolver and
Analysis Summary
# Threat Actor: Famous Chollima
## Attribution & Identity
* **Actor Name:** Famous Chollima
* **Country of Origin:** North Korea (DPRK)
* **Associated Groups:** Tracked as part of the broader "Contagious Interview" activity cluster.
* **Campaign Moniker:** StegaBin (specific to this npm-based iteration).
## Activity Summary
Researchers from Socket and kmsec.uk identified a new iteration of the **Contagious Interview** campaign involving the publication of 26 malicious packages to the npm registry. These packages masquerade as common developer utilities and linting tools. The operation uses a sophisticated multi-stage infection chain involving text steganography via Pastebin to deliver a cross-platform Remote Access Trojan (RAT) and a specialized intelligence-gathering suite.
## Tactics, Techniques & Procedures
* **Supply Chain Attack:** Publishing malicious packages to the npm registry.
* **Typosquatting/Dependency Mimicry:** Malicious packages declare the legitimate libraries they are imitating as dependencies to appear credible.
* **Dead Drop Resolver:** Using Pastebin to host seemingly benign essays that contain hidden C2 addresses.
* **Steganography:** Using zero-width Unicode characters and mathematical spacing within Pastebin text to encode C2 URLs.
* **Cross-Platform Targeting:** Deployment of platform-specific payloads for **Windows, macOS, and Linux**.
* **Execution via Scripts:** Use of `install.js` and `version.js` to trigger the malware automatically upon package installation.
* **Persistence via VS Code:** Utilizing `tasks.json` with the `runOn: "folderOpen"` trigger to execute code every time a developer opens a project.
* **MITRE ATT&CK IDs (Associated):**
* T1195.001 (Supply Chain Compromise: Compromise Software Dependencies)
* T1102.001 (Web Service: Dead Drop Resolver)
* T1027.003 (Obfuscation/Steganography)
* T1546 (Event Triggered Execution)
* T1539 (Steal Web Session Cookie)
* T1555.003 (Credentials from Web Browsers)
## Targeting
* **Sectors:** Technology, Software Development, Information Security.
* **Geography:** Global (targeting the npm ecosystem).
* **Victims:** Developers, specifically those using Node.js/npm environments and Visual Studio Code.
## Tools & Infrastructure
* **Malware Families:**
* **StegaBin Loader:** A decoder for steganographic instructions.
* **Cross-platform RAT:** Provides shell commands and directory manipulation.
* **Intelligence Suite:** Includes modules **"vs"** (VS Code persistence), **"clip"** (keylogger/clipboard), and **"bro"** (browser credential harvester).
* **Infrastructure:**
* **C2 Distribution:** Vercel (31 deployments identified).
* **Dead Drop Hub:** Pastebin.
* **Infrastructure Nodes:**
* ext-checkdin.vercel[.]app
* 103.106.67[.]63[:]1244
* **Malicious npm Packages:** (Partial list: `argonist`, `bcryptance`, `ether-lint`, `expressjs-lint`, `jsnwebapptoken`, `sequelization`).
## Implications
This campaign demonstrates the continued focus of North Korean actors on the developer supply chain. By targeting developers, Famous Chollima gains access to highly privileged environments, source code, SSH keys, and cloud credentials (via TruffleHog module). The move toward cross-platform RATs and Vercel-based infrastructure indicates a highly adaptable and resilient operational framework designed to bypass traditional perimeter defenses.
## Mitigations
* **Dependency Auditing:** Utilize tools like `npm audit` and Socket.dev to scan for typosquatted or suspicious packages before installation.
* **Restrict Execution:** Disable or strictly monitor automatic install scripts in npm (`npm install --ignore-scripts`).
* **VS Code Security:** Audit `tasks.json` files within projects and be wary of prompts regarding "Workspace Trust."
* **Egress Filtering:** Monitor and restrict outbound connections to known dead-drop sites like Pastebin or unusual Vercel subdomains from development environments.
* **Secrets Management:** Use dedicated secrets managers rather than storing SSH keys and environment variables in plain text within developer directories.