By rssfeeds-admin 
Identified by Socket’s AI-powered threat detection systems, these packages use a novel technique to hide their command-and-control (C2) infrastructure inside seemingly harmless text.
This method, known as character-level steganography, allows adversaries to conceal their malicious payloads, making detection more difficult.
Malicious Packages and Steganography
Published over two days in February 2026, these 26 npm packages were typosquats of popular libraries widely used in the JavaScript ecosystem.
Many of the packages appeared legitimate, mimicking well-known packages such as express, lodash, and jsonwebtoken. The packages are designed to be installed without suspicion, which makes them an ideal vector for attackers to target developers.
What makes this campaign particularly innovative is the use of Pastebin-based dead-drop resolvers. The malicious npm packages resolve to C2 infrastructure hidden within text files hosted on Pastebin.
By applying character-level substitutions, the attackers encode the C2 URLs so they appear as innocuous computer science essays.
package.json manifest file of the fastify-lint package, which executes node ./scripts/test/install.js) automatically on npm install. (Source: socket)These URLs are then decoded during installation, guiding the infected machine to a set of domains hosted on Vercel, which ultimately deploy shell payloads on various platforms, including macOS, Linux, and Windows.
The core function of the payload is to deploy a Remote Access Trojan (RAT) and an infostealer toolkit.
Once deployed, the infostealer targets a range of sensitive data from the victim’s machine, including SSH keys, Git credentials, browser-stored secrets, and clipboard contents.
This is a multi-pronged attack aimed directly at developers, with the payload stealing critical credentials for the development environment.
Post-Exploitation Payload
Upon execution, the malware downloads a nine-module infostealer toolkit designed to target developer environments.
The modules include tools to exfiltrate SSH keys, Git repository data, browser credentials, and even crypto wallet information. The malware also deploys a keylogger, clipboard stealer, and a TruffleHog scanner to find secrets in source code.
The stolen credentials are then sent to the attackers’ C2 server, where they are collected and exfiltrated.
fastify-lint package dynamically requiring the malicious vendor/scrypt-js/version.js file. (Source: socket)The versatility of this toolkit, which includes FTP exfiltration and file search capabilities, enables attackers to harvest sensitive data across different stages of their operations persistently.
In addition to direct credential theft, the campaign also employs a technique for persistent infection via VSCode configuration.
A clever use of whitespace manipulation ensures the malware is re-executed whenever a developer opens a project in VSCode, making the infection difficult to remove.
This campaign bears the hallmark of the FAMOUS CHOLLIMA threat actor, linked to the Lazarus Group and known for targeting cryptocurrency and Web3 developers.
The use of advanced evasion techniques and steganography further indicates that these attackers are refining their operations.
Organizations and developers are strongly advised to review dependencies carefully and avoid installing untrusted packages.
Tools like Socket’s AI-powered threat detection can help identify these malicious packages before they can harm your environment, offering vital protection against the growing threat of supply chain attacks.
Follow us on Google News , LinkedIn and X to Get More Instant Updates. Set Cyberpress as a Preferred Source in Google.
The post “StegaBin” Campaign Targets npm Users With Multi-Stage Credential Theft appeared first on Cyber Security News.
Discover more from RSS Feeds Cloud
Subscribe to get the latest posts sent to your email.