Inside DPRK's npm malware factory: 108 packages, 261 versions, and a 31-day campaign wave
Contents
BLOG
Inside DPRKâs npm malware factory: 108 packages, 261 versions, and a 31-day campaign wave
Michael
Baker
TL;DR â Over approximately 30 days, Panther Threat Research monitored, clustered, and tracked a DPRK-linked npm malware campaign spanning 108 malicious packages and a total of 261 package versions. The broader campaign graph below contains 261 observed package-version nodes across multiple operational clusters. The common thread was simple: lure developers into running malicious packages, execute code on trusted developer or CI systems, then steal credentials, wallet private key, sessions, and establish persistent access. If your teams leverage the npm ecosystem, include packages in CI/CD tooling, or have crypto-adjacent developer workflows, treat this as active exploitation of developer environments leading to credential theft, footholds, and follow-on access.
Cluster graph for the campaign
This graph shows the campaign as connected operational clusters rather than isolated packages. The structure is the key to understanding both potential exposure and adversary targeting strategy.
Interactive view: …
Inside DPRKâs npm malware factory: 108 packages, 261 versions, and a 31-day campaign wave
Michael
Baker
TL;DR â Over approximately 30 days, Panther Threat Research monitored, clustered, and tracked a DPRK-linked npm malware campaign spanning 108 malicious packages and a total of 261 package versions. The broader campaign graph below contains 261 observed package-version nodes across multiple operational clusters. The common thread was simple: lure developers into running malicious packages, execute code on trusted developer or CI systems, then steal credentials, wallet private key, sessions, and establish persistent access. If your teams leverage the npm ecosystem, include packages in CI/CD tooling, or have crypto-adjacent developer workflows, treat this as active exploitation of developer environments leading to credential theft, footholds, and follow-on access.
Cluster graph for the campaign
This graph shows the campaign as connected operational clusters rather than isolated packages. The structure is the key to understanding both potential exposure and adversary targeting strategy.
Interactive view: …
IoC
http://axioshealthcheck.vercel.app/debugCheck?id=<namespaces
http://wallet-management-tg-bot.vercel.app
http://api.trongrid.io
http://198.105.127.210:443
http://logkit-tau.vercel.app
http://cloudflareinsights.vercel.app
http://107.189.20.115
http://ipinfo.io
http://95.216.26.109:6211
http://216.126.224.220:5976
http://23.27.202.27
http://api.npoint.io
http://fullnode.mainnet.aptoslabs.com
http://216.126.237.71
http://jsonkeeper.com
http://coingecko-liard.vercel.app
http://polymarkettrading.vercel.app
http://166.88.54.158:443
216.126.224.220
23.27.202.27
107.189.20.115
166.88.54.158
216.126.237.71
95.216.26.109
198.105.127.210
http://wallet-management-tg-bot.vercel.app
http://api.trongrid.io
http://198.105.127.210:443
http://logkit-tau.vercel.app
http://cloudflareinsights.vercel.app
http://107.189.20.115
http://ipinfo.io
http://95.216.26.109:6211
http://216.126.224.220:5976
http://23.27.202.27
http://api.npoint.io
http://fullnode.mainnet.aptoslabs.com
http://216.126.237.71
http://jsonkeeper.com
http://coingecko-liard.vercel.app
http://polymarkettrading.vercel.app
http://166.88.54.158:443
216.126.224.220
23.27.202.27
107.189.20.115
166.88.54.158
216.126.237.71
95.216.26.109
198.105.127.210