A few npm packages seem to be loaders: they npm install socket io as a RAT, fetch a second stage (0001.dat) from the same C2, and run it.
The C2 is associated with FAMOUS CHOLLIMA, the DPRK crew behind Contagious Interview.
Expecting more. Packages below.
Haha first time I've come across a Clickfix npm package!
The china_airlines package is just a fake Cloudflare HTML page with a script tag at the bottom. Heavily obfuscated code that deobfuscates to only 7 lines, pointing to login.microcloud[.]homes
Three more Vite themed packages.
From what I can see, they reach for a payload that looks like a backdoor/RAT: socket C2, operator commands, clipboard collection, file/dir upload, remote eval, and attempts to inject into VS Code, Cursor, Discord, GitHub Desktop, and npm paths.
osj
@inf0stache
Three npm packages posing as Vite tooling. A Vite MCP server and two vite ui packages. All three are just loaders.
The staging IP is flagged in VT as BeaverTail, a JS malware family associated with DPRK Contagious Interview activity.
IOCs in replies.
Three npm packages posing as Vite tooling. A Vite MCP server and two vite ui packages. All three are just loaders.
The staging IP is flagged in VT as BeaverTail, a JS malware family associated with DPRK Contagious Interview activity.
IOCs in replies.
4 npm packages, roughly 8k downloads combined, added a postinstall that collects hostname, local username, git/GitHub identity, SSH key comments, repo context, cloud project info, DNS search domain, cwd, and CI provider. Then quietly POSTs it off during install.
Packages below.
This Shai Hulud seems to have a social engineering angle to it that I didn't see with the last one.
Could be wrong but were they looking at CAs, Slack and Twilio before?
Kirk
@KirkDerpca
SUPPLY CHAIN MALWARE! NPM !
npmjs.com/package/leo-lo…npmjs.com/package/server…npmjs.com/package/leo-ca…npmjs.com/package/rstrea…
+ More
JS devs looking for work, be careful. Contagious Interview still seems to be hunting.
Package hop:
- node-cloud/create
- sql-trigger/nodesql
- Gist API > files.nodescript.js.content > eval(scriptText)
Same socket io loader/RAT, different IP/staging path.
osj
@inf0stache
Another hardcoded IP from the third payload came back clean on VT, but the community comments tied it to Famous Chollima.
This one was more layered than the earlier packages.
It starts as an obfuscated hex byte array, which decodes into another encoded blob that points to a
Another hardcoded IP from the third payload came back clean on VT, but the community comments tied it to Famous Chollima.
This one was more layered than the earlier packages.
It starts as an obfuscated hex byte array, which decodes into another encoded blob that points to aShow more
osj
@inf0stache
Got to admit, I think this is pretty clever.
The payload data is base64 encoded, but it’s stored in hardcoded values that present as normal looking things. This time it's a hash, last time it was a API key.
Simple, but easy to miss at first glance.
- mongoose-json-format
Delivery method #4.
The hardcoded DEV_API_KEY isn't a key, it's a base64 URL. Decoded, it points to a jsonkeeper[.]com paste.
The package fetches it, pulls the payload out of the JSON cookie field, and pipes it straight into a detached node process via stdin.
How sneaky.
osj
@inf0stache
More DPRK packages, clearly targeting developers by package name.
What's interesting here is the dropper isn't in index.js like the others. This one pulls from a gist, and inside that gist is the same dropper I've mentioned in other posts.
They then pull in the malicious
More DPRK packages, clearly targeting developers by package name.
What's interesting here is the dropper isn't in index.js like the others. This one pulls from a gist, and inside that gist is the same dropper I've mentioned in other posts.
They then pull in the maliciousShow more
osj
@inf0stache
Five more packages appear tied to the same DPRK loader/RAT cluster, with possible Famous Chollima overlap based on VT community reporting for the shared C2 IP.
Same obfuscated JS, C2 IP, /api/service/ fetch, 0001.dat drop, and Node execution path.
Packages below.
Five more packages appear tied to the same DPRK loader/RAT cluster, with possible Famous Chollima overlap based on VT community reporting for the shared C2 IP.
Same obfuscated JS, C2 IP, /api/service/ fetch, 0001.dat drop, and Node execution path.
Packages below.
osj
@inf0stache
A few npm packages seem to be loaders: they npm install socket io as a RAT, fetch a second stage (0001.dat) from the same C2, and run it.
The C2 is associated with FAMOUS CHOLLIMA, the DPRK crew behind Contagious Interview.
Expecting more. Packages below.
Can’t tell if people are testing detections or just being careless.
This silly little package runs a base64 stager. Pulls a real EXE from their GitHub, XOR decodes it, runs it silently, then wipes the dropper.
A thin recon tool shipping your IP off to a Discord server.
Something interesting. This Shai Hulud variant seems to be doing some AI jailbreaking.
The same worm, reconstructed and run inline. Sitting next to it is a jailbreak prompt structured to target an AI that reads the code.
The worm hits the host. The prompt is aimed at the AI.
This recent shai hulud seems to propagate over SSH, masking its payload as AI related files (ai_setup.sh, ai_init.js) dropped in a hidden randomized dir (/tmp/.sshu-<random>).
I don't see it removing those files after infection either.
A few npm packages seem to be loaders: they npm install socket io as a RAT, fetch a second stage (0001.dat) from the same C2, and run it.
The C2 is associated with FAMOUS CHOLLIMA, the DPRK crew behind Contagious Interview.
Expecting more. Packages below.
Haha first time I've come across a Clickfix npm package!
The china_airlines package is just a fake Cloudflare HTML page with a script tag at the bottom. Heavily obfuscated code that deobfuscates to only 7 lines, pointing to login.microcloud[.]homes
Three more Vite themed packages.
From what I can see, they reach for a payload that looks like a backdoor/RAT: socket C2, operator commands, clipboard collection, file/dir upload, remote eval, and attempts to inject into VS Code, Cursor, Discord, GitHub Desktop, and npm paths.
osj
@inf0stache
Three npm packages posing as Vite tooling. A Vite MCP server and two vite ui packages. All three are just loaders.
The staging IP is flagged in VT as BeaverTail, a JS malware family associated with DPRK Contagious Interview activity.
IOCs in replies.
Three npm packages posing as Vite tooling. A Vite MCP server and two vite ui packages. All three are just loaders.
The staging IP is flagged in VT as BeaverTail, a JS malware family associated with DPRK Contagious Interview activity.
IOCs in replies.
4 npm packages, roughly 8k downloads combined, added a postinstall that collects hostname, local username, git/GitHub identity, SSH key comments, repo context, cloud project info, DNS search domain, cwd, and CI provider. Then quietly POSTs it off during install.
Packages below.
This Shai Hulud seems to have a social engineering angle to it that I didn't see with the last one.
Could be wrong but were they looking at CAs, Slack and Twilio before?
Kirk
@KirkDerpca
SUPPLY CHAIN MALWARE! NPM !
npmjs.com/package/leo-lo…npmjs.com/package/server…npmjs.com/package/leo-ca…npmjs.com/package/rstrea…
+ More
JS devs looking for work, be careful. Contagious Interview still seems to be hunting.
Package hop:
- node-cloud/create
- sql-trigger/nodesql
- Gist API > files.nodescript.js.content > eval(scriptText)
Same socket io loader/RAT, different IP/staging path.
osj
@inf0stache
Another hardcoded IP from the third payload came back clean on VT, but the community comments tied it to Famous Chollima.
This one was more layered than the earlier packages.
It starts as an obfuscated hex byte array, which decodes into another encoded blob that points to a
Another hardcoded IP from the third payload came back clean on VT, but the community comments tied it to Famous Chollima.
This one was more layered than the earlier packages.
It starts as an obfuscated hex byte array, which decodes into another encoded blob that points to aShow more
osj
@inf0stache
Got to admit, I think this is pretty clever.
The payload data is base64 encoded, but it’s stored in hardcoded values that present as normal looking things. This time it's a hash, last time it was a API key.
Simple, but easy to miss at first glance.
- mongoose-json-format
Delivery method #4.
The hardcoded DEV_API_KEY isn't a key, it's a base64 URL. Decoded, it points to a jsonkeeper[.]com paste.
The package fetches it, pulls the payload out of the JSON cookie field, and pipes it straight into a detached node process via stdin.
How sneaky.
osj
@inf0stache
More DPRK packages, clearly targeting developers by package name.
What's interesting here is the dropper isn't in index.js like the others. This one pulls from a gist, and inside that gist is the same dropper I've mentioned in other posts.
They then pull in the malicious
More DPRK packages, clearly targeting developers by package name.
What's interesting here is the dropper isn't in index.js like the others. This one pulls from a gist, and inside that gist is the same dropper I've mentioned in other posts.
They then pull in the maliciousShow more
osj
@inf0stache
Five more packages appear tied to the same DPRK loader/RAT cluster, with possible Famous Chollima overlap based on VT community reporting for the shared C2 IP.
Same obfuscated JS, C2 IP, /api/service/ fetch, 0001.dat drop, and Node execution path.
Packages below.
Five more packages appear tied to the same DPRK loader/RAT cluster, with possible Famous Chollima overlap based on VT community reporting for the shared C2 IP.
Same obfuscated JS, C2 IP, /api/service/ fetch, 0001.dat drop, and Node execution path.
Packages below.
osj
@inf0stache
A few npm packages seem to be loaders: they npm install socket io as a RAT, fetch a second stage (0001.dat) from the same C2, and run it.
The C2 is associated with FAMOUS CHOLLIMA, the DPRK crew behind Contagious Interview.
Expecting more. Packages below.
Can’t tell if people are testing detections or just being careless.
This silly little package runs a base64 stager. Pulls a real EXE from their GitHub, XOR decodes it, runs it silently, then wipes the dropper.
A thin recon tool shipping your IP off to a Discord server.
Something interesting. This Shai Hulud variant seems to be doing some AI jailbreaking.
The same worm, reconstructed and run inline. Sitting next to it is a jailbreak prompt structured to target an AI that reads the code.
The worm hits the host. The prompt is aimed at the AI.
This recent shai hulud seems to propagate over SSH, masking its payload as AI related files (ai_setup.sh, ai_init.js) dropped in a hidden randomized dir (/tmp/.sshu-<random>).
I don't see it removing those files after infection either.