By rssfeeds-admin 
The activity was spotted by a scanner built to track suspected DPRK-linked npm abuse. Two packages were identified with an obfuscated PylangGhost loader: react-refresh-update and @jaime9008/math-service.
In both cases, the first published version appeared clean, while later versions introduced malicious code. That pattern is common in supply chain attacks because it helps a package appear harmless at first, then turn malicious after trust has been established.
For react-refresh-update, the infected versions ran from March 1, 2026, and contained malicious code in files.
According to the analysis, the loader changed hash values between package archives because the obfuscation process was not deterministic. That makes simple hash-based detection less reliable.
Simple Loader, Multi-Stage Delivery
The malicious loader used a basic but effective chain: decode, decrypt, and eval. The sample contained a hardcoded XOR key, fdfdfdfdf3rykyjjgfkwi, which was used to decrypt the next stage.
After decryption, the code remained lightly obfuscated, primarily through renamed functions and redirected array references.
The refactored script shows a clear multi-platform design. It checks the operating system and then downloads different payloads for Windows, Linux, or macOS from the domain malicanbur.pro.
On Windows, it downloads a ZIP archive in chunks, extracts it with tar, and launches start.vbs with wscript in hidden mode. On Linux and macOS, it downloads a shell script to a temporary path, makes it executable, and runs it.
This design is notable because it supports cross-platform delivery while using simple Node.js code that can blend into JavaScript package ecosystems.
Payload Infrastructure and Risk
The Windows variant retrieved from winnmrepair_ml2j.release was preserved as evidence and uploaded to VirusTotal. Analysis of the ZIP file showed a hardcoded command-and-control address in config.py: http://173.211.46[.]22:8080.
| Package Name | Version | Detection Date | Infection Point |
|---|---|---|---|
| react-refresh-update | 1.0.4 | 2026-03-01 | /runtime.js |
| react-refresh-update | 1.0.3 | 2026-03-01 | /runtime.js |
| react-refresh-update | 1.0.2 | 2026-03-01 | /runtime.js, /babel.js |
| react-refresh-update | 1.0.1 | 2026-03-01 | /babel.js |
| @jaime9008/math-service | 1.0.2 | 2026-02-23 | /lib/lib.js |
| @jaime9008/math-service | 1.0.1 | 2026-02-23 | /lib/lib.js |
Although the researcher did not kmsec pursue deep reverse engineering after confirming the malware family as DPRK-linked PylangGhost, the findings remain important.
They show how attackers can hide a remote access trojan inside npm packages that appear developer-related and routine.
Developers and security teams should review package histories, monitor sudden version changes, inspect obfuscated JavaScript, and treat unexpected network activity at install time or runtime as a high-risk signal.
This campaign is another reminder that one poisoned package can open the door to full remote access.
Follow us on Google News , LinkedIn and X to Get More Instant Updates. Set Cyberpress as a Preferred Source in Google.
The post PylangGhost RAT Spread Through Malicious npm Packages In New Campaign appeared first on Cyber Security News.
Discover more from RSS Feeds Cloud
Subscribe to get the latest posts sent to your email.