North Korean Hackers Deploy 26 Malicious npm Packages

A new supply-chain threat is putting developers on alert. Security researchers warn that North Korean hackers have uploaded 26 malicious packages to the npm registry. This aims to infect developer machines and steal sensitive data. 

GoPlus 中文社区发推提醒，朝鲜黑客向 npm 注册表发布了一组 26 个恶意软件包，这些恶意软件包都附带一个安装脚本（install.js），该脚本会在软件包安装过程中自动执行，进而运行位于“vendor/scrypt-js/version.js”中的恶意代码，…

— 吴说区块链 (@wublockchain12) March 3, 2026

The warning, shared by the GoPlus community on March 3, links the campaign to the well-known “Famous Chollima” hacking group. According to the report, the packages hide a remote access trojan (RAT) that activates during installation. The incident shows growing risks in open-source ecosystems. Especially for Web3 and crypto developers.

Malicious Packages Hide in Plain Sight

Researchers say the attackers published 26 fake packages that mimic legitimate developer tools.  Those are especially linting and utility libraries. Each package includes an install.js script that runs automatically when the package is installed. Once triggered, the script executes hidden code located in vendor/scrypt-js/version.js. This code quietly downloads a remote access trojan from a malicious URL. 

Because npm installs often run automatically inside development environments. Many users may not notice the infection. Security analysts note this tactic is effective because it abuses normal developer workflows. In short, the malware arrives disguised as routine tooling.

What the Malware Can Do?

The embedded RAT gives attackers deep access to infected systems. According to the GoPlus alert, the malware can perform several dangerous actions. It can log keystrokes, steal clipboard data and collect browser credentials. It also scans systems using TruffleHog to find exposed secrets. In more serious cases, it attempts to steal Git repositories and SSH keys. For crypto developers, the risk is even higher. Stolen keys or credentials could lead directly to wallet breaches or project compromises. That is why security teams are treating this campaign as high severity.

Links to Famous Chollima Group

Investigators have tied the activity to the North Korean hacking operation known as Famous Chollima. It’s a group tracked by security firms since at least 2018. The group has a history of targeting developers, crypto projects and financial platforms.

Recent analysis suggests the campaign uses advanced obfuscation techniques. Some reports mention steganography methods that hide command and control data in seemingly harmless text. The malware infrastructure also appears distributed across multiple hosting services, making takedowns harder. This pattern fits previous North Korean operations. That focuses on long-term infiltration rather than quick attacks.

Developers Urged to Stay Alert

Security experts are urging developers to verify package sources before installing dependencies. Even small projects can become entry points for larger supply-chain breaches. GoPlus specifically warned users to avoid the flagged packages and review dependency trees carefully. Teams are also encouraged to enable lockfiles, audit tools and runtime monitoring.

The incident is another reminder that open source ecosystems remain a prime target for state linked hackers. As Web3 and crypto development grow, the stakes keep rising. For now, experts say basic hygiene, checking packages and limiting trust. It remains the best defense.