North Korean-linked threat actors published 26 malicious packages to the npm registry in March 2026 that install a credential stealer and a remote access trojan aimed at developer systems and tooling.
KEY FACTS
- Incident 26 malicious packages published to the npm registry
- Technique text steganography in Pastebin pastes to hide command and control addresses
- Infrastructure C2 hosted on Vercel across 31 deployments
- Impact installs credential stealer and multi module remote access trojan
In a technical analysis by Socket researchers noted that each package included an install script that executes a payload embedded in vendor/scrypt-js/version.js and that the payload decodes Pastebin content to recover C2 domains.
The report lists the 26 packages as typosquats of legitimate developer libraries and says each package declared the targeted legitimate package as a dependency to appear credible during inspection.
The loader contacts three Pastebin pastes that contain innocuous essays. The decoder strips zero width Unicode characters reads a five digit length marker and extracts characters at evenly spaced positions to produce a list of Vercel domains that host platform specific payloads.
The multi stage payload served from Vercel fetches platform specific components for Windows macOS and Linux. One served shell script retrieved a RAT that connects to 103.106.67.63 on port 1244 and opens a WebSocket on port 1247 for remote control and data exfiltration.
WHY IT MATTERS
The campaign targets developer workflows and tooling to harvest credentials secrets and source files. Developers and organizations that install untrusted packages from npm risk compromise of code repositories and developer accounts.