A new software supply chain attack has surfaced on the npm registry, with malicious JavaScript packages delivering the PylangGhost remote access trojan (RAT). This marks the first confirmed instance of PylangGhost appearing on npm, a critical platform for open-source development, indicating a significant escalation by the North Korean state-sponsored threat group FAMOUS CHOLLIMA in their efforts to compromise global development pipelines. The discovery highlights the growing threat of sophisticated malware infiltrating the software development lifecycle.
The attack was identified by Kmsec.uk researchers, who discovered two malicious npm packages, @jaime9008/math-service and react-refresh-update, published under the user account jaime9008. These packages, uploaded in late February and early March 2026 respectively, underwent rapid version updates, with the PylangGhost loader embedded within core JavaScript files. This campaign, using the identifier “ML2J,” leverages the domain malicanbur[.]pro for its command-and-control (C2) infrastructure, posing a stealthy threat to developers globally.
PylangGhost RAT Emerges in npm Supply Chain Attack
The PylangGhost RAT, previously disclosed by Cisco Talos in June 2025, has now found a new avenue for distribution through the widely used npm package manager. FAMOUS CHOLLIMA, a threat actor known for targeting software developers through compromised code repositories and social engineering tactics, appears to be broadening its attack surface. The group’s deliberate move onto npm, one of the largest open-source registries, suggests a strategic effort to achieve a wider impact than previous campaigns.
The two identified malicious packages, @jaime9008/math-service and react-refresh-update, were meticulously crafted to evade detection. Researchers noted that the PylangGhost loader was embedded in various JavaScript files, including runtime.js, babel.js, and lib/lib.js, suggesting a deep integration into the package’s functionality. The attacker’s C2 infrastructure, operating from malicanbur[.]pro with an IP address of 173.211.46[.]22 on port 8080, facilitates the exfiltration of data and further compromise of infected systems.
The deceptive naming of packages, such as react-refresh-update, makes it challenging for developers and security teams to identify malicious dependencies through routine checks. This allows the malware to remain dormant and execute its payload without raising immediate suspicion, increasing the potential for widespread compromise across organizations that rely on these packages in their automated build systems and CI/CD pipelines.
Infection Chain and Payload Delivery
The infection chain is designed to operate silently across Windows, macOS, and Linux operating systems. Upon installation of an affected npm package, a JavaScript loader embedded within the package’s files executes automatically. This loader employs a decode-decrypt-evaluate sequence, utilizing a hardcoded XOR key—”fdfdfdfdf3rykyjjgfkwi”—to decrypt and execute the hidden malware payload in memory.
Following decryption, the loader assesses the victim’s operating system to tailor its subsequent actions. For Windows systems, it initiates the download of a ZIP archive from the C2 server in small, 10 MB increments. This segmented download strategy is intended to bypass network monitoring tools that typically flag large, single-file transfers. Once downloaded, the archive is extracted to the system’s temporary directory, and a VBScript file, start.vbs, is silently executed using wscript, ensuring the process remains hidden from the user.
On macOS and Linux systems, the process differs slightly, with a shell script being fetched directly, made executable, and then run. The Windows payload has been identified with the VirusTotal hash 0be2375362227f846c56c4de2db4d3113e197f0c605c297a7e0e0c154e94464e. The RAT is also equipped to enumerate Chrome extension IDs installed on a compromised machine, providing attackers with a direct route to sensitive browser-stored credentials and personal data.
Security professionals and development teams are urged to immediately audit their npm dependency trees for any instances of react-refresh-update and @jaime9008/math-service. If found, these packages should be removed promptly. Furthermore, network traffic to malicanbur[.]pro and the C2 IP address 173.211.46[.]22 at port 8080 should be blocked at the network perimeter. Integrating software composition analysis (SCA) tools into development pipelines can help proactively identify and mitigate the risks associated with compromised dependencies before they are deployed into production environments.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
