North Korea's StegaBin: 26 npm Packages Using Pastebin Steganography to Hide C2 Infrastructure

The Attack in One Sentence

Famous Chollima — the North Korean group behind the Contagious Interview campaign — published 26 npm packages that, on installation, decoded hidden C2 addresses from computer science essays on Pastebin, then deployed a nine-module cross-platform RAT that steals credentials, cryptocurrency wallets, and developer secrets.

Researchers from Socket (Philipp Burckhardt and Peter van der Zee) and independent researcher Kieran Miyamoto disclosed the campaign — tracked as StegaBin — on March 2, 2026. It represents a meaningful evolution from prior Contagious Interview waves, which used comparatively straightforward scripts and Bitbucket-hosted payloads.

The Steganography Trick: How C2 URLs Hide in Plain Text

The technical innovation here is the C2 extraction mechanism. The malicious install script contacts a Pastebin URL and receives what appears to be an innocent computer science essay. But the decoder isn't reading the essay — it's reading specific characters at evenly-spaced positions throughout the text.

The extraction algorithm works like this:

1. Strip zero-width Unicode characters (common in modern steganography to hide metadata)
2. Read a 5-digit length marker from the beginning of the text
3. Calculate evenly-spaced character positions throughout the remainder of the document
4. Extract and concatenate the characters at those positions
5. Split on a ||| separator (with an ===END=== termination marker) to produce an array of C2 domain names

The result is a list of Vercel domains — the actual C2 infrastructure — which the payload then contacts to fetch platform-specific binaries for Windows, macOS, and Linux.

Why Pastebin? Two reasons. First, Pastebin is categorically clean in most corporate DNS and proxy allow-lists. Blocking Pastebin would break a significant amount of legitimate developer workflow. Second, the content itself — an essay about computer science — passes casual visual inspection. An analyst reviewing DNS logs sees outbound Pastebin queries; nothing flags.

The C2 is then hosted on Vercel across 31 deployments. Again: legitimate infrastructure. Vercel hosts production applications for tens of thousands of companies. Blocking it wholesale is not an option for most security teams.

This is the Living Off Trusted Sites (LOTS) technique applied with unusual sophistication — not just using a trusted platform as a C2 channel, but encoding the infrastructure address in a deniable plaintext document on that platform.

The 26 Packages

All 26 packages follow the same pattern: they typosquat a legitimate, well-known npm dependency (which they then declare as an explicit dependency to appear credible), include an install.js script executed automatically on install, and embed the malicious payload in vendor/scrypt-js/version.js — a path chosen to blend in with legitimate cryptographic library files.

The full list:

• argonist (argon2 typosquat)
• bcryptance (bcrypt)
• bee-quarl
• bubble-core
• corstoken (cors)
• daytonjs (dayjs)
• ether-lint
• expressjs-lint (express)
• fastify-lint (fastify)
• formmiderable (formidable)
• hapi-lint (@hapi/hapi)
• iosysredis (ioredis)
• jslint-config
• jsnwebapptoken
• kafkajs-lint (kafkajs)
• loadash-lint (lodash)
• mqttoken (mqtt)
• prism-lint (prismjs)
• promanage
• sequelization (sequelize)
• typoriem
• undicy-lint (undici)
• uuindex (uuid)
• vitetest-lint (vitest)
• windowston (winston)
• zoddle (zod)

The naming convention is consistent: either subtle typos of common packages (loadash for lodash, formmiderable for formidable) or the legitimate package name with -lint appended — a suffix that suggests code quality tooling, which many developers add to projects without scrutiny.

The Nine-Module RAT

Once the C2 is reached, the payload fetches a RAT tailored to the victim's operating system. The RAT is modular — nine discrete components, each with a specific function:

The truffle module deserves particular attention. TruffleHog is designed to detect secrets accidentally committed to Git repositories — it's a defender's tool. Famous Chollima has weaponised it: rather than writing their own secrets scanner, they download the legitimate binary from GitHub and point it at the victim's codebase. The effect is that the attacker benefits from TruffleHog's pattern library of 700+ credential types across 900+ API integrations. If you committed a secret to any repository on that machine, they'll find it.

The VS Code Persistence Mechanism

The VS Code persistence module is notable because it exploits a legitimate VS Code feature. The tasks.json file — part of VS Code's task runner — supports a "runOn": "folderOpen" trigger that executes defined tasks whenever a project folder is opened.

The module:

1. Locates VS Code configuration directories across Windows (%APPDATA%), macOS (~/Library/Application Support), and Linux (~/.config)
2. Injects a malicious tasks.json into each workspace config
3. Contacts a Vercel C2 domain to send fresh commands on each VS Code startup

The effect is that the persistence mechanism fires every time the developer opens VS Code — which for an active developer is multiple times per day. It's not a system-level service, so it's less visible in process monitors, and it's inside the user's application data directory, which doesn't require elevated permissions to write.

Network IOCs

The following network indicators were published in the Socket and kmsec.uk disclosures:

• RAT C2: 103.106.67[.]63:1244 (initial connection)
• RAT WebSocket: 103.106.67[.]63:1247 (real-time control)
• Vercel C2 staging: ext-checkdin.vercel[.]app (and 30 additional Vercel deployments)
• Pastebin dead-drop resolver: Multiple Pastebin pastes (URLs not published; monitor for install scripts accessing Pastebin programmatically)

Block 103.106.67[.]63 at the firewall. For the Vercel traffic: you can't block Vercel wholesale, but you can detect via anomalous patterns — developer workstations making outbound connections to fresh/unknown Vercel subdomains during npm install operations is suspicious.

Detection: What to Look For

Pre-install (proactive)

• Audit your package.json for any of the 26 package names above. grep -r "loadash-lint\|expressjs-lint\|zoddle\|corstoken" package.json package-lock.json
• Run your npm install commands in a sandboxed environment (Docker, VM) and capture all outbound DNS and HTTP requests. Legitimate packages do not contact Pastebin during installation.
• Use Socket Security (the researchers who found this) or similar supply-chain scanning tools before adding new dependencies.

Post-compromise indicators

• Unexpected tasks.json modifications: Check ~/.config/Code/User/tasks.json and workspace-level .vscode/tasks.json for entries with runOn: "folderOpen" that you didn't create.
• TruffleHog process execution: Alert on trufflehog processes spawned by non-user shell processes (node, npm, sh) — legitimate TruffleHog runs are interactive.
• Outbound Pastebin access from CI/CD or automated npm processes: Flag any DNS queries to pastebin.com originating from package managers or install hooks.
• WebSocket connections to 103.106.67.63: Block and alert at the perimeter.

Tooling for analysis

If you suspect a package is malicious before running it, tools like Black Hat Python (2nd Edition) provide the foundational understanding of how Python-based payloads work — useful for reading the bro credential-stealing module without running it. For understanding Node.js payloads (the j module), reviewing JavaScript runtime behaviour via browser devtools in a sandboxed container is practical. The Web Application Hacker's Handbook provides essential proxy and traffic analysis patterns for understanding how these modules exfiltrate data over HTTP.

How This Fits the Contagious Interview Pattern

Contagious Interview (also tracked as Famous Chollima) is a multi-year North Korean operation targeting software developers, particularly in crypto and DeFi. The consistent playbook: publish typosquatted npm packages targeting JavaScript/TypeScript developers, execute malware on install, and steal credentials with a bias toward cryptocurrency wallets and private keys.

Previous waves used simpler techniques — Bitbucket-hosted payloads, direct domain C2. StegaBin represents a meaningful step up in operational security. The use of steganography to hide C2 addresses means:

• The Pastebin "pastes" don't contain obvious IOCs — they look like essays
• C2 rotation is trivial: update the paste, and all deployed implants automatically get new C2 addresses without code changes
• DNS-based IOC feeds won't catch it — there's no static C2 domain in the payload

The Vercel C2 hosting compounds this. Vercel is a content delivery network used by production applications globally. Sinkholing a Vercel domain is possible, but Vercel domains rotate: at 31 deployments, taking one down doesn't kill the campaign.

We also covered APT31's supply chain attack via a malicious Go module (February 2026) and ScarCruft's Zoho WorkDrive C2 campaign — all three share the LOTS technique of abusing legitimate, trusted platforms as attack infrastructure.

What Developers Should Do Right Now

1. Audit your dependencies immediately. Check the full list of 26 packages against your node_modules and package-lock.json. npm ls | grep -E "loadash-lint|expressjs-lint|zoddle|bcryptance|argonist|corstoken|daytonjs|formmiderable|jslint-config|jsnwebapptoken|windowston|prism-lint|sequelization|uuindex|vitetest-lint|undicy-lint|typoriem|kafkajs-lint|mqttoken|hapi-lint|iosysredis|bee-quarl|bubble-core|ether-lint|promanage"
2. Check your VS Code tasks.json. On macOS: cat ~/Library/Application\ Support/Code/User/tasks.json. On Linux: cat ~/.config/Code/User/tasks.json. Any runOn: "folderOpen" entry you didn't add is a red flag.
3. Rotate credentials from affected machines. If any of these packages were installed on a developer workstation, treat all secrets (API keys, tokens, SSH keys, browser-stored passwords, crypto wallets) on that machine as compromised. Rotate them all.
4. Enable Socket Security or equivalent in your CI pipeline. Supply-chain scanning should run before any package is installed, not after.
5. Run TruffleHog on your repositories yourself to understand what the attacker would have found — and to confirm nothing sensitive is already committed. The irony is this is exactly what the malware does, so you should do it first.

For developers setting up a comprehensive security lab environment to test these defences, a dedicated security lab setup that includes sandbox environments for npm package analysis is strongly recommended. Penetration Testing by Georgia Weidman covers controlled lab environment setup extensively, including network isolation techniques applicable to malware analysis.

The Bigger Picture: Supply Chain Is the Attack Surface

This campaign is a reminder that the npm registry remains a high-value attack surface for nation-state actors. The numbers work in favour of attackers: there are millions of npm packages, automated dependency resolution means developers install packages they've never read, and the lag between malicious publication and npm registry takedown creates an exploitation window measured in hours to days.

Famous Chollima is targeting developers specifically because developers have access to the most valuable credentials: production API keys, cloud access tokens, private keys for signing code, and cryptocurrency wallets. A single compromised developer workstation at a crypto exchange can be worth millions of dollars to North Korea's weapons programme — which is why they invest in increasingly sophisticated evasion techniques like StegaBin.

The TruffleHog weaponisation detail is particularly pointed: the very tools the security community built to detect secrets in code are being turned against the developers who wrote that code. Defence here requires moving the detection earlier — before the package runs — not after.