StegaBin campaign hid credential stealer inside 26 npm packages

Socket.dev researchers flagged 26 malicious npm packages that quietly installed a multi-stage toolkit on developer machines, according to technical analysis shared with security teams. The packages, published in a tight 25–26 February 2026 window, ran hidden install-time scripts that pulled down a nine-module credential stealer and a remote access Trojan (RAT), researchers said.

The attackers used typosquatting to mimic widely used libraries such as express, fastify, lodash, uuid, ioredis and jsonwebtoken, and even published developer-tool lookalikes with “-lint” suffixes. To avoid breaking builds and alerting maintainers, the malicious packages declared the legitimate libraries they impersonated as dependencies, allowing projects to install normally while the installer executed in the background.

All 26 packages contained the same injected file at vendor/scrypt-js/version.js, and that file was triggered by an npm install hook at scripts/test/install.js. A persistence trick wrote a malicious VSCode tasks.json into infected project folders and hid the real command behind 186 leading spaces so the dangerous line is pushed off-screen; the task was configured to run when a folder opens, making the infected directory a repeat trigger whenever a developer reopened a project.

The loader recovered command-and-control addresses using character-level steganography embedded in three Pastebin pastes, researchers reported. “The loader extracts C2 URLs steganographically encoded within three Pastebin pastes, innocuous computer science essays in which characters at evenly-spaced positions have been replaced to spell out hidden infrastructure addresses,” Socket researchers Philipp Burckhardt and Peter van der Zee wrote in published analysis. After decoding, the campaign routed follow-on payloads through Vercel; researchers observed 31 Vercel deployments connected to the infrastructure, and outbound connections to at least one IP, 103[.]106[.]67[.]63.

Independent researcher Kieran Miyamoto publicly disclosed 17 related packages and described the Pastebin decoder used to recover the hidden C2 addresses; researchers note that Miyamoto’s 17-package disclosure is a subset of the 26 packages Socket flagged, and the discrepancy has not been fully reconciled in the public material. Security teams also flagged historical behavior consistent with earlier waves in a campaign cluster known as Contagious Interview, which researchers linked to North Korea–aligned actor FAMOUS CHOLLIMA and a prior focus on cryptocurrency and Web3 developer tooling.

Researchers said the campaign demonstrates refined evasion techniques beyond earlier waves that relied on simpler scripts or Bitbucket-hosted payloads. “While previous waves of the Contagious Interview campaign relied on relatively straightforward malicious scripts and Bitbucket-hosted payloads, this latest iteration demonstrates a concerted effort to bypass both automated detection and human review,” Socket analysts concluded. Socket Threat Research previously warned that creative steganographic tricks are growing more common; Olivia Brown noted that such techniques show “how threat actors continue to improve their obfuscation techniques” and stressed that it is “more important than ever for developers to use tools to check their software dependencies.”

Defenders should tighten dependency hygiene, disable or restrict npm lifecycle scripts in CI and on developer machines, pin dependencies with lockfiles, verify maintainers before installing look-alike packages, and monitor endpoints for unexpected install hooks, VSCode task changes and outbound connections to suspicious infrastructure such as Pastebin and Vercel. Researchers also urged registries and security teams to publish the full package lists, Pastebin paste IDs, Vercel hostnames and file hashes so incident responders can hunt and remediate infected developer environments.