Feed
HighPublished 27 Feb 202626 packages · 26 versions

StegaBin: 26 npm typosquats use Pastebin steganography to deliver Contagious Interview RAT

Summary

Socket disclosed 26 typosquatted npm packages tied to North Korea's Contagious Interview / FAMOUS CHOLLIMA cluster. The loader decodes steganographically-encoded Pastebin URLs to resolve C2 hosted across 31 Vercel deployments, then retrieves a 9-module infostealer and RAT toolkit.

typosquatinfostealercredential-theftobfuscationcrypto-wallet-drain
Threat actor
Famous Chollima (DPRK Contagious Interview)
Detected by
Socket
Also known as
StegaBin · Contagious Interview · Famous Chollima
Ecosystems
npm
Packages tracked
26

What happened

StegaBin is Socket's name for a 26-package npm campaign published in late February 2026 and attributed to North Korea's Contagious Interview / Famous Chollima cluster. The package names are typosquats of popular libraries — fastify-lint, expressjs-lint, loadash-lint, prism-lint, and so on — with single-character or suffix variations chosen to catch typo or autocomplete installs.

The novel piece is the resolver: the loader pulls a Pastebin page where the C2 host is encoded steganographically (zero-width whitespace and Base64-in-comments), so simple HTTP traffic analysis sees only a Pastebin fetch. Decoded, the URL points to one of 31 rotating *.vercel.app deployments that serve a 9-module infostealer and RAT toolkit.

Once running, the malware enumerates browser stores (Chrome / Edge / Brave), pulls cookies and saved credentials, harvests SSH keys and Git configs, and runs TruffleHog-style scanning across disk to find further secret material. Crypto wallet extensions are a priority target. On Windows, it stages AnyDesk for hands-on follow-up and installs a keylogger.

Socket identified C2 IP 103.106.67.63 and the Vercel deployment list. Block both at egress, hunt for AnyDesk and keylogger artefacts on Windows developer hosts, and rotate any credential reachable from a host that resolved one of the 26 packages.

Affected packages (26)

  • npmargonist
    0.41.0
  • npmbcryptance
    6.5.2
  • npmbee-quarl
    2.1.2
  • npmbubble-core
    6.26.2
  • npmcorstoken
    2.14.7
  • npmdaytonjs
    1.11.20
  • npmether-lint
    5.9.4
  • npmexpressjs-lint
    5.3.2
  • npmfastify-lint
    5.8.0
  • npmformmiderable
    3.5.7
  • npmhapi-lint
    19.1.2
  • npmiosysredis
    5.13.2
  • npmjslint-config
    10.22.2
  • npmjsnwebapptoken
    8.40.2
  • npmkafkajs-lint
    2.21.3
  • npmloadash-lint
    4.17.24
  • npmmqttoken
    5.40.2
  • npmprism-lint
    7.4.2
  • npmpromanage
    6.0.21
  • npmsequelization
    6.40.2
  • npmtyporiem
    0.4.17
  • npmundicy-lint
    7.23.1
  • npmuuindex
    13.1.0
  • npmvitetest-lint
    4.1.21
  • npmwindowston
    3.19.2
  • npmzoddle
    4.4.2

Impact

  • Browser credentials, crypto wallets, SSH and Git secrets exfiltrated
  • TruffleHog-style scanning runs on victim disk to find more secrets
  • Resilient C2 via rotating Vercel deployments + Pastebin dead-drops

What to do

  1. 1Remove any of the 26 listed packages and rotate impacted credentials
  2. 2Block C2 IP 103.106.67.63 and listed Vercel domains at egress
  3. 3Hunt for AnyDesk and keylogger artefacts on Windows dev hosts

References

npm-2026-02-27-stegabin-contagious-interview