New North Korean Threat Campaign Uncovered
A new wave of the North Korea-linked “Contagious Interview” campaign, in which 26 malicious npm packages were uploaded to the registry that were masquerading as legitimate developer tools has been uncovered. The packages execute a malicious install script (install.js) that launches a payload designed to retrieve command-and-control (C2) infrastructure through steganographically encoded Pastebin content. The malware decodes hidden C2 domains embedded within seemingly harmless essays, then pulls platform-specific payloads. The resulting toolset includes a full RAT, credential stealers, browser data harvesters, VS Code persistence mechanisms, SSH and Git exfiltration modules, and secret-scanning utilities. The campaign — tracked as StegaBinand — demonstrates increasingly sophisticated evasion tactics designed to bypass traditional tools.
Stopping this attack chain requires visibility at every stage — from supply chain compromise to endpoint persistence and outbound C2 communication. Detection must begin at the software layer, monitoring package installation logs, dependency changes, and execution of post-install scripts within CI/CD pipelines. At runtime, defenders need process execution logs, file integrity monitoring (FIM), registry/service creation events, VS Code configuration changes, and endpoint telemetry (EDR/XDR) to detect unauthorized install scripts, malicious DLL drops, or suspicious task.json persistence triggers.
On the network side, security teams must monitor DNS queries, HTTPS sessions to Pastebin, outbound traffic, WebSocket connections, and suspicious FTP exfiltration flows. Layer 7 application session analytics and SSL inspection are critical to identify steganographic payload retrieval and anomalous command beaconing to IP addresses such as 103.106.67[.]63. To actually stop these attacks — not just observe them — organizations must unify endpoint detection, network detection and response (NDR), SIEM correlation, threat intelligence, and software supply chain security monitoring into a single platform like NIKSUN. Read more about this story on our LinkedIn page
Stopping this attack chain requires visibility at every stage — from supply chain compromise to endpoint persistence and outbound C2 communication. Detection must begin at the software layer, monitoring package installation logs, dependency changes, and execution of post-install scripts within CI/CD pipelines. At runtime, defenders need process execution logs, file integrity monitoring (FIM), registry/service creation events, VS Code configuration changes, and endpoint telemetry (EDR/XDR) to detect unauthorized install scripts, malicious DLL drops, or suspicious task.json persistence triggers.
On the network side, security teams must monitor DNS queries, HTTPS sessions to Pastebin, outbound traffic, WebSocket connections, and suspicious FTP exfiltration flows. Layer 7 application session analytics and SSL inspection are critical to identify steganographic payload retrieval and anomalous command beaconing to IP addresses such as 103.106.67[.]63. To actually stop these attacks — not just observe them — organizations must unify endpoint detection, network detection and response (NDR), SIEM correlation, threat intelligence, and software supply chain security monitoring into a single platform like NIKSUN. Read more about this story on our LinkedIn page