First instance of PylangGhost RAT observed on npm
Contents
A quick one as I havenât had the will to do full analysis on this as Iâve been exploring something more interesting (more to come).
Summary
- PylangGhost is a RAT first publicly disclosed by Cisco Talos in June 2025, attributable to FAMOUS CHOLLIMA
- In late February/early March 2026, two packages published to npm by user jaime9008 (jaimeandujo086[@]gmail.com) distribute PylangGhost RAT
- This marks the first observed instance of the malware strain on npm, and demonstrates further rapid development during this period
- IOCs:
malicanbur[.]pro
(domain),173.211.46[.]22:8080
My scanner that supports my DPRK tracking on npm detected two packages with an obfuscated PylangGhost loader:
| Date | Package | Detected | Download tarfile | Infection point |
|---|---|---|---|---|
| 2026-03-01 21:19:13.365Z | react-refresh-update v1.0.4 | true | download | /runtime.js |
| 2026-03-01 21:10:14.297Z | react-refresh-update v1.0.3 | true | download | /runtime.js |
| 2026-03-01 20:58:10.897Z | react-refresh-update v1.0.2 | true | download | /runtime.js, /babel.js |
| 2026-03-01 20:34:34.844Z | react-refresh-update v1.0.1 …
Summary
- PylangGhost is a RAT first publicly disclosed by Cisco Talos in June 2025, attributable to FAMOUS CHOLLIMA
- In late February/early March 2026, two packages published to npm by user jaime9008 (jaimeandujo086[@]gmail.com) distribute PylangGhost RAT
- This marks the first observed instance of the malware strain on npm, and demonstrates further rapid development during this period
- IOCs:
malicanbur[.]pro
(domain),173.211.46[.]22:8080
My scanner that supports my DPRK tracking on npm detected two packages with an obfuscated PylangGhost loader:
| Date | Package | Detected | Download tarfile | Infection point |
|---|---|---|---|---|
| 2026-03-01 21:19:13.365Z | react-refresh-update v1.0.4 | true | download | /runtime.js |
| 2026-03-01 21:10:14.297Z | react-refresh-update v1.0.3 | true | download | /runtime.js |
| 2026-03-01 20:58:10.897Z | react-refresh-update v1.0.2 | true | download | /runtime.js, /babel.js |
| 2026-03-01 20:34:34.844Z | react-refresh-update v1.0.1 …
IoC
http://173.211.46.22:8080
http://malicanbur.pro
https://malicanbur.pro/winnmrepair_ml2j.release
https://malicanbur.pro
173.211.46.22
[email protected]
0be2375362227f846c56c4de2db4d3113e197f0c605c297a7e0e0c154e94464e
323ba89ec7410656629f8a1e7890d3025739adcbb8497f1c737a7465c13eb1fd
http://malicanbur.pro
https://malicanbur.pro/winnmrepair_ml2j.release
https://malicanbur.pro
173.211.46.22
[email protected]
0be2375362227f846c56c4de2db4d3113e197f0c605c297a7e0e0c154e94464e
323ba89ec7410656629f8a1e7890d3025739adcbb8497f1c737a7465c13eb1fd