StegaBin: 26 npm typosquats use Pastebin steganography to deliver Contagious Interview RAT
Socket disclosed 26 typosquatted npm packages tied to North Korea's Contagious Interview / FAMOUS CHOLLIMA cluster. The loader decodes steganographically-encoded Pastebin URLs to resolve C2 hosted across 31 Vercel deployments, then retrieves a 9-module infostealer and RAT toolkit.
- Threat actor
- Famous Chollima (DPRK Contagious Interview)
- Detected by
- Socket
- Also known as
- StegaBin · Contagious Interview · Famous Chollima
- Ecosystems
- npm
- Packages tracked
- 26
What happened
StegaBin is Socket's name for a 26-package npm campaign published in late February 2026 and attributed to North Korea's Contagious Interview / Famous Chollima cluster. The package names are typosquats of popular libraries — fastify-lint, expressjs-lint, loadash-lint, prism-lint, and so on — with single-character or suffix variations chosen to catch typo or autocomplete installs.
The novel piece is the resolver: the loader pulls a Pastebin page where the C2 host is encoded steganographically (zero-width whitespace and Base64-in-comments), so simple HTTP traffic analysis sees only a Pastebin fetch. Decoded, the URL points to one of 31 rotating *.vercel.app deployments that serve a 9-module infostealer and RAT toolkit.
Once running, the malware enumerates browser stores (Chrome / Edge / Brave), pulls cookies and saved credentials, harvests SSH keys and Git configs, and runs TruffleHog-style scanning across disk to find further secret material. Crypto wallet extensions are a priority target. On Windows, it stages AnyDesk for hands-on follow-up and installs a keylogger.
Socket identified C2 IP 103.106.67.63 and the Vercel deployment list. Block both at egress, hunt for AnyDesk and keylogger artefacts on Windows developer hosts, and rotate any credential reachable from a host that resolved one of the 26 packages.
Affected packages (26)
- npm
argonist0.41.0 - npm
bcryptance6.5.2 - npm
bee-quarl2.1.2 - npm
bubble-core6.26.2 - npm
corstoken2.14.7 - npm
daytonjs1.11.20 - npm
ether-lint5.9.4 - npm
expressjs-lint5.3.2 - npm
fastify-lint5.8.0 - npm
formmiderable3.5.7 - npm
hapi-lint19.1.2 - npm
iosysredis5.13.2 - npm
jslint-config10.22.2 - npm
jsnwebapptoken8.40.2 - npm
kafkajs-lint2.21.3 - npm
loadash-lint4.17.24 - npm
mqttoken5.40.2 - npm
prism-lint7.4.2 - npm
promanage6.0.21 - npm
sequelization6.40.2 - npm
typoriem0.4.17 - npm
undicy-lint7.23.1 - npm
uuindex13.1.0 - npm
vitetest-lint4.1.21 - npm
windowston3.19.2 - npm
zoddle4.4.2
Impact
- Browser credentials, crypto wallets, SSH and Git secrets exfiltrated
- TruffleHog-style scanning runs on victim disk to find more secrets
- Resilient C2 via rotating Vercel deployments + Pastebin dead-drops
What to do
- 1Remove any of the 26 listed packages and rotate impacted credentials
- 2Block C2 IP 103.106.67.63 and listed Vercel domains at egress
- 3Hunt for AnyDesk and keylogger artefacts on Windows dev hosts