(socket.dev) StegaBin: North Korean-Linked npm Supply Chain Campaign Uses Pastebin Steganography to Deploy Nine-Module Infostealer and RAT
-
(socket.dev) StegaBin: North Korean-Linked npm Supply Chain Campaign Uses Pastebin Steganography to Deploy Nine-Module Infostealer and RAT
Socket researchers identified 26 malicious npm packages tied to North Korea's Contagious Interview campaign (FAMOUS CHOLLIMA / Lazarus Group), using a technique dubbed "StegaBin" that embeds C2 addresses via character level steganography in Pastebin pastes. The typosquatted packages deploy an RC4 encrypted loader that resolves C2 infrastructure through 31 Vercel deployments, ultimately delivering a WebSocket RAT and a nine module infostealer toolkit targeting developer credentials, SSH keys, browser passwords, cryptocurrency wallets, and VSCode configurations, with FTP based exfiltration on a secondary port.
IOCs in the article.
Source: https://socket.dev/blog/stegabin-26-malicious-npm-packages-use-pastebin-steganography
-
R relay@relay.infosec.exchange shared this topic
