How North Korean APT Used Steganography and Dead‑Drop Resolvers in 26 Malicious npm Packages

Event Overview

In March 2026 Socket and kmsec.uk disclosed a supply‑chain attack in the npm registry attributed to the North Korean Lazarus‑linked group Famous Chollima. The campaign, named StegaBin , introduced 26 malicious npm packages that embed a steganographic dead‑drop resolver and a modular remote‑access trojan.

Typosquatting and Dependency Deception

All 26 packages use names that closely resemble popular modules, for example bcryptance (vs bcrypt), loadash‑lint (vs lodash), and zoddle (vs zod). Each package’s package.json declares the legitimate library as a dependency, causing the real library to be installed and the malicious code to run unnoticed.

Steganographic Decoder

During npm install the package’s install.js script executes vendor/scrypt-js/version.js. The script fetches a Pastebin URL that appears to host an academic paper and then decodes hidden C2 domain names using the following steps:

Strip zero‑width Unicode characters from the fetched text.

Read a five‑digit length marker at the start of the text.

Compute equidistant sampling positions across the text based on the length marker.

Extract characters at those positions and concatenate them.

Split the resulting string on the delimiter ||| and terminate at ===END=== to obtain an array of C2 hostnames.

This approach hides the payload in publicly viewable text, evading static analysis and network‑based detection.

Vercel Serverless C2 Infrastructure

The decoded C2 hostnames point to Vercel serverless deployments (e.g., ext‑checkdin.vercel.app). The attackers deployed the payload across 31 independent Vercel instances, leveraging the platform’s global CDN and reputable cloud presence to reduce the likelihood of triggering alerts.

Modular RAT Deployment

After contacting the Vercel C2, the malware delivers OS‑specific payloads that together form a highly modular RAT consisting of nine modules:

vs : VS Code persistence by writing a malicious tasks.json with runOn: "folderOpen" to trigger callbacks on project open.

clip : Keylogging, clipboard theft, mouse tracking, active‑window monitoring and periodic data exfiltration.

bro : Browser credential extraction via a Python‑based key‑store parser.

j : Cryptocurrency wallet theft from Chrome, Brave, Firefox, Opera, Edge and extensions such as MetaMask, Phantom, Coinbase Wallet; on macOS also harvests iCloud keychain.

z : File‑system enumeration and pattern‑based document exfiltration.

n : Real‑time remote control using a WebSocket connection to 103.106.67.63:1247, supporting command execution and FTP exfiltration.

truffle : Sensitive information scanning by downloading the legitimate TruffleHog tool and repurposing it to locate secrets.

git : Git and SSH credential theft, including extraction of .ssh files and repository scanning.

sched : Persistent redeployment of the core payload to maintain foothold.

Malicious Package List

[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
ether‑[email protected]
expressjs‑[email protected]
fastify‑[email protected]
[email protected]
hapi‑[email protected]
[email protected]
jslint‑[email protected]
[email protected]
kafkajs‑[email protected]
loadash‑[email protected]
[email protected]
prism‑[email protected]
[email protected]
[email protected]
[email protected]
undicy‑[email protected]
[email protected]
vitetest‑[email protected]
[email protected]
[email protected]

Detection Indicator

Every malicious package contains the file vendor/scrypt-js/version.js. Presence of this file is a reliable indicator for detection scans.