jsonspack: Multi-Tenant Node.js RAT â DPRK Supply Chain Campaign
Contents
Note â
jsonspack
vs legitimatejsonpack
:jsonpack
is a legitimate npm JSON compression library published bysapienlab
in 2013, maintained through 2022, with 1.1.5 as the final version.P2 (Footnote prefixes: E = evidence, P = prior art, R = references, A = appendix.) It is unrelated to this campaign. The operator chosejsonspack[.]com
as a plausible-sounding developer tooling brand â not a deliberate typosquat (npm package names must be unique), but capitalising on the superficial similarity to a real package name for credibility.
Campaign Overview
The jsonspack campaign is a supply chain attack comprising 27 confirmed malicious npm (Node Package Manager) packages published by eight distinct email accounts between 2026-03-18 and 2026-03-31. All 27 share hello@jsonspack[.]com
as the author contact email in their package.json
metadata â the basis on which they are grouped as a single campaign, though this alone does not confirm a single operator (see Attribution section).
The Panther NPM.Malicious.Verdict.LLM detection pipeline flagged 2 packages (chai-as-hooked
, chai-as-redeployed
). Both used hello@jsonspack[.]com
as their author …
jsonspack
vs legitimatejsonpack
:jsonpack
is a legitimate npm JSON compression library published bysapienlab
in 2013, maintained through 2022, with 1.1.5 as the final version.P2 (Footnote prefixes: E = evidence, P = prior art, R = references, A = appendix.) It is unrelated to this campaign. The operator chosejsonspack[.]com
as a plausible-sounding developer tooling brand â not a deliberate typosquat (npm package names must be unique), but capitalising on the superficial similarity to a real package name for credibility.
Campaign Overview
The jsonspack campaign is a supply chain attack comprising 27 confirmed malicious npm (Node Package Manager) packages published by eight distinct email accounts between 2026-03-18 and 2026-03-31. All 27 share hello@jsonspack[.]com
as the author contact email in their package.json
metadata â the basis on which they are grouped as a single campaign, though this alone does not confirm a single operator (see Attribution section).
The Panther NPM.Malicious.Verdict.LLM detection pipeline flagged 2 packages (chai-as-hooked
, chai-as-redeployed
). Both used hello@jsonspack[.]com
as their author …
IoC
http://api.npoint.io/0a01c9a76266efbbbaf1
http://jsonspack.com
http://www.isillegion.com
http://144.172.110.132:8087/api/notify
https://jsonkeeper.com/b/XRGF3
http://server-check-genimi.vercel.app
http://144.172.110\|socketScript\|ldbScript\|searchAndUpload
https://attack.mitre.org/techniques/T1001/
https://jsonkeeper.com/b/BADC6
https://api.npoint.io/2cc8f9fa09a141aafc03
https://jsonkeeper.com/b/FAWPU
https://grep.app/search?q=
https://registry.npmjs.org/-/npm/v1/security/advisories?package=<name
http://144.172.110.132
http://api.npoint.io/2cc8f9fa09a141aafc03
https://www.npmjs.com/package/pino
https://attack.mitre.org/techniques/T1480/
http://api.npoint.io/001bf7a1f01639123dc1
https://github.com/sapienlab/jsonpack.git
http://isillegion.com
http://144.172.110.132:8085/upload
http://api.npoint.io
http://chosejsonspack.com
http://144.172.110.132:8087
http://144.172.110.132:8086/upload
https://github.com/pinojs/pino/actions
http://npoint.io
http://tetrismic.vercel.app
http://api.npoint.io/*
https://jsonkeeper.com/b/4NAKK
http://144.172.110\|socket
http://server-check-genimi.vercel.app/defy/v3
http://0x301..{20
https://registry.npmjs.org/chai-as-hooked
https://registry.npmjs.org/<package
144.172.110.132
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
1c777a65a337b48318f3cfff9cee9ffdecc2f7867f7365f53c7e0af492add2a4
fde9503ee61d16371c43e76cbcfc83bb414e24d0ae5aefca32c36f5c5786a397
70f8deb4d35ab7db47845f6b6666ae6c0a22814eca580a10e7a0ba09f9ece5f8
30a007ce18f8aacd54cb26b2f79de5e0
baa5f96044388ff17a9c84a01ce50ee399cf0c9b146d5c7491e4a23a9eb095b6
0939feeda737b0951f6e37d690d65ecfdc5482ae1e1486734aaf59fb2497fcef
fdb582f16475cb79bebd0dffc48d610430cae2e39e9a3e2abd373b3413691838
d81e48769a830cd3384a4b8977ade12e5ab7583eb7cca84e7ab966d15871bd71
25b9435bd5fd17500199c47ecaf38a8e
5f2d8aec684e79cb983af79d29fddf7e7ecf1e36474baf1422e77c9b79caee23
http://jsonspack.com
http://www.isillegion.com
http://144.172.110.132:8087/api/notify
https://jsonkeeper.com/b/XRGF3
http://server-check-genimi.vercel.app
http://144.172.110\|socketScript\|ldbScript\|searchAndUpload
https://attack.mitre.org/techniques/T1001/
https://jsonkeeper.com/b/BADC6
https://api.npoint.io/2cc8f9fa09a141aafc03
https://jsonkeeper.com/b/FAWPU
https://grep.app/search?q=
https://registry.npmjs.org/-/npm/v1/security/advisories?package=<name
http://144.172.110.132
http://api.npoint.io/2cc8f9fa09a141aafc03
https://www.npmjs.com/package/pino
https://attack.mitre.org/techniques/T1480/
http://api.npoint.io/001bf7a1f01639123dc1
https://github.com/sapienlab/jsonpack.git
http://isillegion.com
http://144.172.110.132:8085/upload
http://api.npoint.io
http://chosejsonspack.com
http://144.172.110.132:8087
http://144.172.110.132:8086/upload
https://github.com/pinojs/pino/actions
http://npoint.io
http://tetrismic.vercel.app
http://api.npoint.io/*
https://jsonkeeper.com/b/4NAKK
http://144.172.110\|socket
http://server-check-genimi.vercel.app/defy/v3
http://0x301..{20
https://registry.npmjs.org/chai-as-hooked
https://registry.npmjs.org/<package
144.172.110.132
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
1c777a65a337b48318f3cfff9cee9ffdecc2f7867f7365f53c7e0af492add2a4
fde9503ee61d16371c43e76cbcfc83bb414e24d0ae5aefca32c36f5c5786a397
70f8deb4d35ab7db47845f6b6666ae6c0a22814eca580a10e7a0ba09f9ece5f8
30a007ce18f8aacd54cb26b2f79de5e0
baa5f96044388ff17a9c84a01ce50ee399cf0c9b146d5c7491e4a23a9eb095b6
0939feeda737b0951f6e37d690d65ecfdc5482ae1e1486734aaf59fb2497fcef
fdb582f16475cb79bebd0dffc48d610430cae2e39e9a3e2abd373b3413691838
d81e48769a830cd3384a4b8977ade12e5ab7583eb7cca84e7ab966d15871bd71
25b9435bd5fd17500199c47ecaf38a8e
5f2d8aec684e79cb983af79d29fddf7e7ecf1e36474baf1422e77c9b79caee23