Tracking DPRK operator IPs over time
Contents
This post highlights one of my neatest discoveries from tracking FAMOUS CHOLLIMA malware on npm. It is a pretty substantial oversight on their part, or perhaps they just donât care!
If youâre interested in other minor opsec failures, check out part 1 and part 2.
Summary
- When you publish an npm package, npm sends an email detailing the IP address used to publish the package
- FAMOUS CHOLLIMA used temporary email services to publish npm packages
- Some temp mail providers are insecure and allow anyone to view the mailbox of any valid address
- Successive publishes over a sustained period reveal consistent exit IPs
- This post contains IOCs and hunting notes for subscription vendors
FAMOUS CHOLLIMA typically uses Gmail or Outlook to register npm accounts, so imagine my excitement when, in mid 2025, I started seeing unique domains being used to publish malicious packages.
Between July 2025 and February 2026, aside from Proton, Gmail, and Outlook, …
If youâre interested in other minor opsec failures, check out part 1 and part 2.
Summary
- When you publish an npm package, npm sends an email detailing the IP address used to publish the package
- FAMOUS CHOLLIMA used temporary email services to publish npm packages
- Some temp mail providers are insecure and allow anyone to view the mailbox of any valid address
- Successive publishes over a sustained period reveal consistent exit IPs
- This post contains IOCs and hunting notes for subscription vendors
FAMOUS CHOLLIMA typically uses Gmail or Outlook to register npm accounts, so imagine my excitement when, in mid 2025, I started seeing unique domains being used to publish malicious packages.
Between July 2025 and February 2026, aside from Proton, Gmail, and Outlook, …
IoC
https://emailfake.com/nastiagoman[@]dsantoro.es
http://37.115.26.54
http://88.216.2.162
http://mx.add5000.com
http://67.43.59.10
http://70.39.70.194
http://193.118.55.19
http://103.125.234.210
http://37.115.109.158
http://91.196.52.205
http://jsonkeeper.com
http://62.33.223.164
http://77.247.126.189
http://193.118.55.17
http://203.160.80.72
http://216.227.145.218
http://193.118.55.77
http://64.32.17.130
http://23.160.56.155
203.160.80.72
88.216.2.162
62.33.223.164
70.39.70.194
216.227.145.218
103.125.234.210
23.160.56.155
67.43.59.10
64.32.17.130
77.247.126.189
193.118.55.19
37.115.109.158
91.196.52.205
193.118.55.17
193.118.55.77
37.115.26.54
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
http://37.115.26.54
http://88.216.2.162
http://mx.add5000.com
http://67.43.59.10
http://70.39.70.194
http://193.118.55.19
http://103.125.234.210
http://37.115.109.158
http://91.196.52.205
http://jsonkeeper.com
http://62.33.223.164
http://77.247.126.189
http://193.118.55.17
http://203.160.80.72
http://216.227.145.218
http://193.118.55.77
http://64.32.17.130
http://23.160.56.155
203.160.80.72
88.216.2.162
62.33.223.164
70.39.70.194
216.227.145.218
103.125.234.210
23.160.56.155
67.43.59.10
64.32.17.130
77.247.126.189
193.118.55.19
37.115.109.158
91.196.52.205
193.118.55.17
193.118.55.77
37.115.26.54
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]