StegaBin: 26 Malicious npm Packages Use Pastebin Steganograp...
Contents
StegaBin: 26 Malicious npm Packages Use Pastebin Steganography to Deploy Multi-Stage Credential Stealer
Socket uncovered 26 malicious npm packages tied to North Korea's Contagious Interview campaign, retrieving a live 9-module infostealer and RAT from the adversary's C2.
Philipp Burckhardt
Peter van der Zee
February 27, 2026
Socket’s AI-powered threat detection systems identified 26 malicious npm packages published over a two-day period that deploy a multi-stage credential and secret harvesting operation targeting developers. The packages use a Pastebin-based dead-drop resolver that hides C2 infrastructure inside seemingly benign text using character-level steganography. We are referring to this campaign as “StegaBin” due to its use of steganographic Pastebin dead-drop resolvers.
After resolving infrastructure hosted across 31 Vercel deployments, the infection chain retrieves platform-specific shell payloads that ultimately install a Remote Access Trojan (RAT) and automatically deploys a nine-module infostealer toolkit. The modules target developer environments directly, including VSCode configuration, SSH keys, git repositories, browser credential stores, clipboard data, and …
Socket uncovered 26 malicious npm packages tied to North Korea's Contagious Interview campaign, retrieving a live 9-module infostealer and RAT from the adversary's C2.
Philipp Burckhardt
Peter van der Zee
February 27, 2026
Socket’s AI-powered threat detection systems identified 26 malicious npm packages published over a two-day period that deploy a multi-stage credential and secret harvesting operation targeting developers. The packages use a Pastebin-based dead-drop resolver that hides C2 infrastructure inside seemingly benign text using character-level steganography. We are referring to this campaign as “StegaBin” due to its use of steganographic Pastebin dead-drop resolvers.
After resolving infrastructure hosted across 31 Vercel deployments, the infection chain retrieves platform-specific shell payloads that ultimately install a Remote Access Trojan (RAT) and automatically deploys a nine-module infostealer toolkit. The modules target developer environments directly, including VSCode configuration, SSH keys, git repositories, browser credential stores, clipboard data, and …
IoC
http://103.106.67.63
http://cleverstack-ext301.vercel.app
http://103.106.67.63:1244
http://cleverstack-app998.vercel.app
http://ext-checkdin.vercel.app
http://103.106.67.63:1247
https://<C2
http://brightlaunch-ext742.vercel.app
103.106.67.63
[email protected]
da1775d0fbe99fbc35b6f0b4a3a3cb84da3ca1b2c1bbac0842317f6f804e30a4
http://cleverstack-ext301.vercel.app
http://103.106.67.63:1244
http://cleverstack-app998.vercel.app
http://ext-checkdin.vercel.app
http://103.106.67.63:1247
https://<C2
http://brightlaunch-ext742.vercel.app
103.106.67.63
[email protected]
da1775d0fbe99fbc35b6f0b4a3a3cb84da3ca1b2c1bbac0842317f6f804e30a4