Researchers disclosed a new iteration of the Contagious Interview campaign — tracked as StegaBin and attributed to the North Korean Famous Chollima cluster — that published 26 malicious npm packages masquerading as developer tools to deliver a developer-targeted credential stealer and remote access trojan. The packages use install.js to run a steganographic loader that extracts Vercel-hosted C2 domains from Pastebin essays and fetches multi-platform payloads implementing VS Code persistence, keylogging, browser and wallet credential theft, TruffleHog secret scanning, and Git/SSH exfiltration. #StegaBin #FamousChollima #ContagiousInterview #Vercel #Pastebin
Keypoints
- Attackers published 26 malicious npm packages that appear as developer tools but execute a hidden payload via install.js.
- The loader decodes C2 Vercel domains steganographically encoded in Pastebin essays by extracting characters at evenly spaced positions.
- Decoded domains deliver platform-specific payloads that deploy modules for VS Code persistence, keylogging and clipboard theft, and browser/crypto-wallet credential stealing.
- The campaign uses multi-stage Vercel routing across 31 deployments and connects to infrastructure (e.g., 103.106.67[.]63) for remote control and exfiltration.
- Socket and kmsec.uk track the operation as StegaBin and attribute it to the North Korean Famous Chollima cluster, noting advanced evasion techniques like Pastebin steganography.
Read More: https://thehackernews.com/2026/03/north-korean-hackers-publish-26-npm.html