New ‘StegaBin’ Campaign Uses Malicious 26 npm Packages to Deploy Multi-Stage Credential Stealer

A new software supply-chain attack is abusing the npm ecosystem today, where a single mistaken dependency can quietly open a door into a developer’s machine.

The activity, tracked as “StegaBin,” mixes familiar tricks like typosquatting with a staged delivery path that runs during installation and keeps the theft out of sight.​

In this wave, 26 malicious packages were published over a two-day window and were designed to run a hidden install step when developers add them to projects.

Once executed, the chain can pull down platform-specific scripts, plant a remote access trojan, and then load a nine-part toolkit focused on stealing credentials and secrets from developer workstations.​

After early signals from automated scanning, Socket.dev researchers noted the activity and identified the cluster, linking it to Contagious Interview-style tradecraft associated with North Korea-aligned activity.

Independent reporting also surfaced quickly, with researcher Kieran Miyamoto disclosing 17 related packages and explaining the Pastebin decoder used to recover hidden command-and-control addresses.​

The campaign’s reach is broad because the fake packages imitate popular libraries across web frameworks, utilities, databases, and build tools, making accidental installs plausible during routine work.

Many of the packages even list the real library they mimic as a dependency, so a victim’s project may still run normally while the malicious install script runs in the background.

That mix of frictionless installs and theft puts source code, SSH keys, browser logins, clipboard data, and tokens at risk, especially for teams that move fast and reuse secrets daily.​

Infection chain: Pastebin steganography in practice​

The first step fires during installation: the package.json declares an install script that automatically executes node ./scripts/test/install.js.

That installer calls a loader placed at vendor/scrypt-js/version.js, a filename chosen to look like a normal vendored crypto library.​

Next, the loader decodes three hardcoded Pastebin links whose visible content reads like a harmless computer science essay, but single characters are swapped at regular spacing to hide infrastructure.

This captures what reviewers would see at a glance. After extracting the hidden list, the malware cycles through 31 Vercel-hosted domains until one responds with a live shell payload, while other requests may return a decoy “Permanently suspended” message.​

From there, a token-gated bootstrapper sets up the next stage, including installing Node.js 20.11.1 if it is missing, pulling down additional scripts, and running them in the background before removing traces.

The final remote access trojan connects to 103[.]106[.]67[.]63:1244 and can trigger an automated download of modules that target VSCode settings, Git data, SSH material, browser stores, and local secret files.​

One persistence trick stands out because it blends into daily development: a module writes a malicious VSCode tasks.json and hides its real command behind 186 leading spaces so the dangerous part is pushed off-screen.

The task is configured to run when a folder opens, turning an infected project directory into a repeat trigger each time the developer returns to it.​

Defenders should treat this as a reminder that dependency hygiene is a security control, not just a build concern, and review new packages for unexpected install scripts, strange file paths, and heavy obfuscation.

In CI and on developer laptops, consider disabling lifecycle scripts when they are not needed, pin dependencies with lockfiles, and verify maintainers before adding look‑alike names.

Teams should also hunt for the shared loader path vendor/scrypt-js/version.js and for outbound traffic to Pastebin and unusual *.vercel.app hosts, then rotate any exposed SSH keys, tokens, and browser credentials.

If VSCode is widely used, checking global and workspace tasks.json files for long whitespace padding and “runOn: folderOpen” behavior can help catch the persistence step early.

Since the command servers were live during analysis, responders should assume real-world theft is possible and prioritize endpoint review, secret scanning, and credential resets across developer and build systems.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.