StegaBin: 26 Malicious npm Packages Use Pastebin Steganography to Deploy Multi-Stage Credential Stealer

An AI-powered threat detection system identified 26 malicious npm packages, published over two days, that execute a multi-stage credential and secret harvesting operation targeting developers. Dubbed "StegaBin," this campaign uses steganographic techniques to conceal command-and-control (C2) infrastructure within seemingly benign text on Pastebin, which is decoded to retrieve platform-specific payloads that install a Remote Access Trojan (RAT) and a nine-module infostealer toolkit. This toolkit targets key developer tools and environments like VSCode, SSH keys, git repositories, and browser credential stores. The packages, designed to mimic popular npm libraries through typosquatting, were flagged for suspicious behavior within minutes of publication. This operation is attributed to the North Korean-aligned cyber threat actor FAMOUS CHOLLIMA, linked to the Lazarus Group and targeting Web3 and cryptocurrency developers. The campaign's infrastructure and tradecraft reflect a sophisticated effort to evade detection, and organizations are advised to remain vigilant and cautious when installing npm packages.