This campaign involves a set of seventeen malicious npm packages that serve as initial stagers for a multi-platform malware infection targeting Windows, macOS, and Linux systems. The attackers use Pastebin as a covert dead-drop resolver, embedding command-and-control (C2) URLs within innocuous-looking text using advanced text steganography techniques. The stager includes a complex decoding mechanism to extract these hidden URLs, which are then used to download platform-specific payloads. To maintain persistence and resilience, the infection chain employs multiple fallback domains hosted on Vercel, a popular cloud platform, allowing the malware to evade simple domain blacklisting and takedown attempts. The campaign is attributed to the DPRK-linked threat actor FAMOUS CHOLLIMA, known for sophisticated and evolving malware operations. The infection leverages various MITRE ATT&CK techniques such as command execution via JavaScript (T1059.007), discovery (T1082), masquerading (T1036), fallback channels (T1102), credential access (T1552.001), and persistence mechanisms (T1547.001). The use of npm packages as an infection vector highlights a supply chain attack approach, targeting developers and organizations relying on JavaScript dependencies. The campaign’s multi-platform nature and use of public infrastructure for C2 communications complicate detection and mitigation. No CVE or known exploits in the wild have been reported, but the campaign’s sophistication and stealthy techniques indicate a medium severity threat with potential for significant impact if successful.

The campaign poses a substantial risk to organizations worldwide, especially those utilizing npm packages in their software development lifecycle or maintaining heterogeneous environments with Windows, macOS, and Linux endpoints. Successful infections could lead to unauthorized remote code execution, data exfiltration, lateral movement, and long-term persistence within networks. The use of public platforms like Pastebin and Vercel for C2 communications makes detection challenging, increasing the likelihood of prolonged undetected presence. Supply chain compromise via npm packages threatens software integrity and trust, potentially impacting software development pipelines and downstream consumers. Organizations in sectors with high-value intellectual property, critical infrastructure, or geopolitical interest are at elevated risk of targeted attacks. The multi-platform capability broadens the attack surface, affecting diverse environments. Although no known exploits in the wild have been reported yet, the campaign’s ongoing development suggests a risk of escalation and wider deployment. The medium severity rating reflects the complexity and stealth of the campaign balanced against the current lack of widespread exploitation evidence.

1. Implement strict supply chain security controls including vetting and monitoring of npm packages before integration into projects. 2. Employ software composition analysis (SCA) tools to detect and block malicious or suspicious npm packages. 3. Monitor network traffic for unusual or unexpected connections to Pastebin, Vercel, or other public cloud platforms, especially those involving encoded or obfuscated data. 4. Deploy endpoint detection and response (EDR) solutions capable of identifying suspicious JavaScript execution and multi-platform payload behaviors. 5. Enforce least privilege principles and application whitelisting to limit execution of unauthorized scripts or binaries. 6. Regularly audit and update fallback domain blocklists, including domains hosted on cloud platforms like Vercel. 7. Educate development teams about the risks of supply chain attacks and encourage use of trusted package sources. 8. Use threat intelligence feeds to update detection rules with known hashes and indicators of compromise (IOCs) related to this campaign. 9. Implement multi-factor authentication and credential hygiene to mitigate credential theft risks. 10. Conduct proactive threat hunting focusing on steganography and dead-drop resolver techniques in network and endpoint logs.