A remote access trojan known as PylangGhost has appeared on the npm registry for the first time, concealed inside two malicious JavaScript packages. <\/p>\n
The malware, first publicly disclosed by Cisco Talos in June 2025 and attributed to the North Korean state-sponsored threat group FAMOUS CHOLLIMA<\/a>, marks a significant escalation in software supply chain attacks targeting developers around the world.\u200b<\/p>\n PylangGhost has been tracked for months as part of coordinated campaigns tied to North Korean cyber operations. <\/p>\n FAMOUS CHOLLIMA is well known in the security community for targeting software developers through trojanized code repositories, fabricated job opportunities, and social engineering<\/a> tactics designed to gain unauthorized system access. <\/p>\n The group\u2019s deliberate move onto npm \u2014 one of the most widely used open-source package registries in the world \u2014 signals a calculated effort to compromise development pipelines at a much larger scale than previously observed.\u200b<\/p>\n Kmsec.uk researchers identified two malicious packages<\/a> published by user jaime9008, linked to the email jaimeandujo086[@]gmail.com. <\/p>\n The first package, @jaime9008\/math-service, was uploaded in late February 2026, and the second, react-refresh-update, surfaced in early March 2026. <\/p>\n Both packages cycled rapidly through multiple version updates, with the PylangGhost loader embedded inside key JavaScript files including runtime.js, babel.js, and lib\/lib.js.\u200b<\/p>\n The campaign identifier hardcoded into the malware is \u201cML2J,\u201d and the attacker\u2019s command-and-control (C2) infrastructure relies on the domain malicanbur[.]pro, with a C2 IP address of 173.211.46[.]22:8080. <\/p>\n This marks the first confirmed instance of PylangGhost appearing on npm and reflects the speed at which FAMOUS CHOLLIMA continues to develop and deploy new tools. <\/p>\n Any developer who installed either of these packages during the active window may have had their system silently compromised without any visible indication.\u200b<\/p>\n The broader danger of this campaign extends well beyond individual developers. Since npm packages are routinely pulled into large-scale projects, automated build systems, and CI\/CD pipelines, a single infected dependency can quietly expose entire organizations. <\/p>\n The deceptive use of a convincing package name like react-refresh-update makes the threat much harder to catch through routine dependency reviews, giving the malware additional time to execute without raising suspicion.\u200b<\/p>\n The infection chain behind this campaign is carefully structured to execute silently across Windows, macOS, and Linux systems without triggering any immediate security alerts.\u200b<\/p>\n Once a developer installs an affected package, a JavaScript loader<\/a> embedded in specific files runs automatically. <\/p>\n This loader follows a decode-decrypt-evaluate sequence and uses a hardcoded XOR key \u2014 the string \u201cfdfdfdfdf3rykyjjgfkwi\u201d \u2014 to unlock the hidden payload before it executes in memory.\u200b<\/p>\n After decryption, the loader checks the victim\u2019s operating system and adjusts its behavior accordingly. <\/p>\n On Windows machines, it downloads a ZIP archive from malicanbur[.]pro in 10 MB increments \u2014 a method deliberately chosen to bypass network monitoring tools that flag large single-file transfers. <\/p>\n Once the download completes, the archive is extracted to the system\u2019s temp directory and a VBScript file named start.vbs is silently launched through wscript, keeping the entire process invisible to the user. <\/p>\n On macOS and Linux target machines, a shell script is fetched directly and made executable before being run.\u200b<\/p>\n The Windows payload has been uploaded to VirusTotal with the hash 0be2375362227f846c56c4de2db4d3113e197f0c605c297a7e0e0c154e94464e. <\/p>\n The C2 address is stored inside config.py within the archive\u2019s root folder. The RAT is also capable of enumerating Chrome extension IDs installed on the compromised machine, giving attackers a direct path to browser-stored credentials and sensitive personal data.\u200b<\/p>\n Developers and security teams should immediately audit their npm dependency trees for react-refresh-update and @jaime9008\/math-service and remove both packages if found. <\/p>\n All network traffic to malicanbur[.]pro and 173.211.46[.]22:8080 should be blocked at the perimeter. Integrating software composition analysis tools<\/a> into build and deployment pipelines helps catch compromised packages before they reach production. <\/p>\n Any unexpected network connections made during package installation should be treated as a serious incident and investigated promptly and thoroughly.<\/p>\n Follow us on\u00a0Google News<\/a>,\u00a0LinkedIn<\/a>,\u00a0and\u00a0X<\/a>\u00a0to Get More Instant Updates<\/strong>,\u00a0Set CSN as a Preferred Source in\u00a0Google<\/a>.<\/strong><\/p>\n The post Malicious npm Packages Deliver PylangGhost RAT in New Software Supply Chain Campaign<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\nHow the Infection Unfolds<\/strong><\/h2>\n
![\"PylangGhost](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEg2uPLSb8KvLOkhj1MDamPa_XvC4jrR_sshDJqfMmgTtEQ6wtECkrsxF19_btxScTq3fiQ1U1X4Ss487YPXblsVZ3mB99SxbgF4bq7j22RghPLUZXvPIlU43ph3qa8BfmJlFj-H_JAH7lxe-bjCa9Jt0oSe4UjSUkcZHjszdB7Tgeqi5VkTlYA1Ch-rmKk\/s16000\/PylangGhost%2520C2%2520URL%2520from%2520the%2520Windows%2520variant%2520hardcoded%2520and%2520conveniently%2520commented%2520%28Source%2520-%2520kmsec.uk%29.webp?ssl=1\")