North Korean StegaBin Campaign Hides C2 in Pastebin Essays

North Korean threat actors published 26 malicious npm packages that use an unusual technique to hide their command-and-control infrastructure: steganographically encoded URLs hidden within seemingly innocent computer science essays posted to Pastebin. Socket researchers dubbed the campaign "StegaBin" and attributed it to Famous Chollima, a cluster associated with the ongoing Contagious Interview operations.

The packages masquerade as developer tools—linters, utilities, and helper libraries—but contain functionality to extract hidden C2 addresses and deploy a modular credential stealer and RAT. All 26 packages were published across February 25-26, 2026, using individual throwaway npm accounts.

The Steganography Technique

StegaBin's hallmark is creative abuse of text steganography. When the malicious install.js script executes during package installation, it contacts Pastebin URLs containing what appear to be computer science essays—discussions of algorithms, data structures, and programming concepts.

Hidden within those essays are C2 addresses encoded through character substitution at evenly-spaced positions throughout the text. The decoder strips zero-width Unicode characters, reads a 5-digit length marker, and extracts the embedded domain names character by character.

This is different from the more common approach of hiding payloads in image steganography or using obviously encoded blobs. An analyst reviewing the Pastebin content manually would see a normal academic essay. Only by running the extraction algorithm does the hidden infrastructure reveal itself.

The technique also provides operational flexibility. If a C2 domain gets burned, operators can update the Pastebin paste without publishing new packages. The malware retrieves fresh infrastructure addresses on each infection.

The Malicious Packages

The 26 packages target common development patterns:

Typosquats and look-alikes: argonist, bcryptance, corstoken, daytonjs, expressjs-lint, fastify-lint, hapi-lint, jslint-config, kafkajs-lint, loadash-lint, prism-lint, sequelization, typoriem, undicy-lint, vitetest-lint, windowston, zoddle

Plausible tool names: bee-quarl, bubble-core, ether-lint, formmiderable, iosysredis, jsnwebapptoken, mqttoken, promanage, uuindex

Naming patterns suggest targeting JavaScript developers working with popular frameworks. The "lint" suffix appears frequently—developers installing linter packages typically grant them broad filesystem access, making them ideal infection vectors.

This represents a distinct campaign from the Lazarus graphalgo operation we covered in February. That campaign focused on blockchain developers through fake recruitment lures. StegaBin uses a pure supply chain approach without the social engineering layer.

Payload Capabilities

The delivered malware is a modular toolkit with nine components:

Module	Function
vs	VS Code persistence via tasks.json manipulation
clip	Keylogging, clipboard monitoring, mouse tracking
bro	Browser credential harvesting
j	Cryptocurrency wallet and browser extension theft
z	Filesystem enumeration and file exfiltration
n	Interactive RAT with real-time operator control
truffle	Weaponized TruffleHog deployment for secrets scanning
git	SSH key and Git credential extraction
sched	Persistence mechanism redeployment

The VS Code persistence module is particularly insidious. It modifies tasks.json to execute malicious code whenever the developer opens their project. Security tools typically trust VS Code workspace configurations, making this a blind spot in many environments.

The TruffleHog module shows attackers adapting defensive security tools for offense. TruffleHog is designed to scan repositories for accidentally committed secrets. Famous Chollima weaponized it to automatically harvest API keys, tokens, and credentials from the victim's local repositories.

Infrastructure

Researchers identified the following indicators:

• C2 hosting: 31 Vercel deployments including ext-checkdin.vercel[.]app
• Command server: 103.106.67[.]63:1244
• RAT control: 103.106.67[.]63:1247 (WebSocket for persistent connections)
• Dead drop: Multiple Pastebin URLs containing encoded essays

The use of Vercel for C2 hosting is noteworthy. Legitimate developer infrastructure blends with attacker infrastructure, making network-based detection harder. Many organizations whitelist Vercel traffic for their own deployments. The technique echoes the SANS ISC research on reused payload infrastructure, where tracking delivery mechanisms proved more reliable than tracking domains.

Developer Targeting Continues

The presence of Hardhat in the infection chain confirms cryptocurrency and Web3 developers remain primary targets for this North Korean cluster. Hardhat is an Ethereum development environment—its presence suggests the malware specifically seeks blockchain development artifacts.

This aligns with North Korea's broader strategy of targeting cryptocurrency organizations for revenue generation. The Lazarus Group's $2 billion in cryptocurrency theft during 2025 came partly from supply chain compromises exactly like this one.

Detection and Mitigation

Organizations should:

1. Audit installed npm packages against the list of 26 malicious names
2. Check for the IOC domains and IPs in network logs
3. Review VS Code tasks.json files for unexpected entries
4. Scan for TruffleHog processes running outside normal security tooling

Package management hygiene remains the best defense. Pin dependencies to specific versions, review package contents before installation, and use lockfiles to prevent silent updates. Tools like Socket's own scanner can flag suspicious install scripts before they execute.

The npm registry removed the packages after Socket's report, but copies may persist in private registries or cached installations. If any of these packages touched your development environment, assume compromise and investigate accordingly.