Socket researchers discovered 26 malicious npm packages published February 25-26, 2026 deploying a multi-stage credential harvesting operation attributed to North Korea-aligned FAMOUS CHOLLIMA threat actor associated with Lazarus Group’s Contagious Interview campaigns. All packages share a malicious file that uses character-level steganography to extract command and control URLs from three Pastebin pastes. The decoder strips zero-width Unicode characters, reads five-digit length markers, calculates evenly-spaced character positions, and extracts hidden infrastructure addresses resolving to 31 Vercel-hosted domains. Socket detected the first package within two minutes of publication and flagged all 26 within six minutes each.

Impact: The VSCode persistence module injects tasks.json files with commands preceded by 186 spaces to push payloads off-screen, configured with runOn folderOpen triggers and presentation settings suppressing all visual feedback. The keylogger implements platform-specific capture using SetWindowsHookEx low-level hooks on Windows, xinput test-xi2 on Linux, and CGEventTap on macOS, annotating events with active window titles and extracting browser URLs when foreground applications are Chrome, Edge, Firefox, Brave, Opera, or Vivaldi. The cryptocurrency wallet stealer targets 86 extension IDs by copying LevelDB stores to temporary directories. The Git module recursively walks filesystems collecting repository metadata, extracting credentials from git-credentials files, parsing authentication tokens from remote URLs, and uploading SSH keys from .ssh directories.

Recommendation: Inspect VSCode tasks.json files for entries with excessive leading whitespace or runOn folderOpen triggers. Block identified IOCs. Monitor Pastebin access for systematic character extraction from pastes CJ5PrtNk, 0ec7i68M, and DjDCxcsT. Rotate all SSH keys, Git credentials, browser passwords, and cryptocurrency wallet seeds on compromised systems. Deploy package manager security scanning detecting install scripts executing from scripts/test directories or loading vendor/scrypt-js paths. Enable threat detection to flag obfuscated code and abnormal install behavior.

Socket researchers discovered four malicious NuGet packages targeting ASP.NET developers in February 2026, though the packages were originally published between August 12-21, 2024 by threat actor hamzazaheer and have accumulated over 4,500 total downloads. The delayed discovery highlights common challenges in supply chain security where malicious packages can remain undetected for extended periods while actively compromising development environments. NCryptYo acts as a stage-1 dropper that typosquats the legitimate NCrypto package and establishes a localhost proxy on port 7152, while companion packages DOMOAuth2_ and IRAOAuth2.0 exfiltrate ASP.NET Identity data including user accounts, role assignments, and permission mappings. NCryptYo presents non-functional public API methods that return null unconditionally while executing malicious functionality through JIT compiler manipulation. The complex attack architecture required extensive reverse engineering to uncover, including decrypting multiple encryption layers, analyzing JIT compiler hooks, and reverse engineering .NET Reactor obfuscation to understand the two-stage payload deployment. The stage-2 payload establishes a localhost proxy relaying traffic between companion packages and external command and control servers, keeping infrastructure details out of static artifacts and complicating detection efforts.

Impact: NCryptYo hijacks the .NET runtime’s compilation pipeline by modifying the JIT compiler’s compileMethod vtable entry, importing native functions including VirtualAlloc, mmap, and mprotect to allocate executable memory and deploy platform-specific shellcode for x64, x86, and ARM64 processors. The package embeds five encrypted resources including a 126 KB executable that decrypts using AES-256-CBC with hardcoded keys, deploying the stage-2 proxy on localhost:7152. DOMOAuth2_ and IRAOAuth2.0 integrate through dependency injection, exposing four methods that exfiltrate Identity data to endpoints including get-permissions and update-role-permissions. The packages return C2 responses through dynamic-typed fields enabling permission injection attacks that grant attackers admin-level access by manipulating authorization rules. SimpleWriter_ beacons to the localhost proxy on every ConvertHtmlToPDF call, then unconditionally writes arbitrary file content and executes binaries with hidden windows regardless of network connectivity.

Recommendation: Audit NuGet dependencies for typosquatting patterns by verifying package names and author identities before installation. Decompile suspicious packages to check for obfuscation markers including SuppressIldasm attributes and method bodies returning null unconditionally. Monitor localhost connections on non-standard ports, treating persistent connections to localhost:7152 as compromise indicators. Enable NuGet package signature verification and configure sources to require signed packages from trusted publishers. Block packages importing native memory manipulation APIs including VirtualAlloc, WriteProcessMemory, and mmap when combined with anti-debugging checks. Implement behavioral monitoring detecting static constructor execution patterns where initialization logic runs before developer interaction. Uninstall NCryptYo, DOMOAuth2_, IRAOAuth2.0, and SimpleWriter_ packages, audit build artifacts for localhost:7152 references, rotate credentials for ASP.NET Identity systems, and review authorization configurations for unauthorized modifications.