DPRK tests Google Drive as a malware stager
Contents
Iâve been tracking FAMOUS CHOLLIMAâs npm malware for some time, and any change in TTPs is rare and notable.
Summary
- The majority of malicious packages by FAMOUS CHOLLIMA pull and execute further payloads from the internet
- FAMOUS CHOLLIMA typically stage their malware on JSON paste sites (npoint.io, jsonkeeper.com, etc.) and other developer platforms (Vercel, Netflify)
express-core-validator
v1.0.1 instead uses a document uploaded to Google Drive as the next stage- This post contains technical details and brief hunting guidelines
On 20 February 2026, I detected a new version publish of express-core-validator
by npm user crisdev09 (cristianabreu694[@]gmail.com).
The package is still live as of this postâs publish time.
This package is attributed to
FAMOUS CHOLLIMAâs Contagious Interview campaign and has a novel loader
utilising Google Drive. Below is core.js
in its entirety (comments preserved from
original, thanks for the summary FC!):
'use strict';
/**
* Fetches JavaScript from Google Drive by file ID and runs it.
* Used by postinstall to load and execute the core script.
* …
Summary
- The majority of malicious packages by FAMOUS CHOLLIMA pull and execute further payloads from the internet
- FAMOUS CHOLLIMA typically stage their malware on JSON paste sites (npoint.io, jsonkeeper.com, etc.) and other developer platforms (Vercel, Netflify)
express-core-validator
v1.0.1 instead uses a document uploaded to Google Drive as the next stage- This post contains technical details and brief hunting guidelines
On 20 February 2026, I detected a new version publish of express-core-validator
by npm user crisdev09 (cristianabreu694[@]gmail.com).
The package is still live as of this postâs publish time.
This package is attributed to
FAMOUS CHOLLIMAâs Contagious Interview campaign and has a novel loader
utilising Google Drive. Below is core.js
in its entirety (comments preserved from
original, thanks for the summary FC!):
'use strict';
/**
* Fetches JavaScript from Google Drive by file ID and runs it.
* Used by postinstall to load and execute the core script.
* …
IoC
https://dprk-research.kmsec.uk/api/tarfiles/express-core-validator/1.0.1
https://drive.google.com/file/d/16AaeeVhqj4Q6FlJIDMgdWASJvq7w00Yc/view?usp=sharing
https://dprk-research.kmsec.uk/api/samples/85c6cebb22bc2e5abc27aac9b1bbcf4f39af9901f422a69180b54c5a62211458
[email protected]
[email protected]
addbf305fe29949810b536456987e1185dc9a3c0
2a7e7b76a3e8070410adce9b6a2b9cf112687922792c91be563c20fbf6a4a82f
85c6cebb22bc2e5abc27aac9b1bbcf4f39af9901f422a69180b54c5a62211458
https://drive.google.com/file/d/16AaeeVhqj4Q6FlJIDMgdWASJvq7w00Yc/view?usp=sharing
https://dprk-research.kmsec.uk/api/samples/85c6cebb22bc2e5abc27aac9b1bbcf4f39af9901f422a69180b54c5a62211458
[email protected]
[email protected]
addbf305fe29949810b536456987e1185dc9a3c0
2a7e7b76a3e8070410adce9b6a2b9cf112687922792c91be563c20fbf6a4a82f
85c6cebb22bc2e5abc27aac9b1bbcf4f39af9901f422a69180b54c5a62211458