North Korean Hackers Distribute 26 Malicious npm Packages for Cross-Platform RAT Attack – Monday, March 2, 2026

North Korean hackers have released 26 malicious npm packages that use a Pastebin command-and-control (C2) server to deploy a cross-platform Remote Access Trojan (RAT). This attack exploits open-source repositories to distribute malware targeting multiple operating systems, posing a significant threat to software supply chains.

Who should care: CISOs, SOC leads, threat intelligence analysts, fraud & risk leaders, identity & access management teams, and security operations teams.

What happened?

North Korean state-sponsored hackers have compromised the npm ecosystem by publishing 26 malicious packages designed to deliver a cross-platform Remote Access Trojan (RAT). These packages incorporate a Pastebin-based C2 server, enabling attackers to stealthily manage the malware across infected systems. By leveraging Pastebin, a widely used text storage service, the adversaries can evade traditional detection methods and maintain persistent control over the RAT. This approach reflects a sophisticated tactic of exploiting trusted open-source repositories to distribute malware, significantly expanding the attack surface across multiple operating systems. The malicious packages were crafted to blend seamlessly into the npm ecosystem, which is integral to countless software development projects worldwide. This infiltration not only undermines the integrity of the affected packages but also endangers any system that incorporates them, potentially leading to widespread compromise. The attack highlights the increasing risk posed by supply chain attacks, where adversaries target the software development lifecycle to gain access to downstream users. It also underscores the challenges faced by organizations in securing open-source dependencies, which are often integrated without sufficient scrutiny. This incident is part of a broader trend where nation-state actors exploit popular development platforms to propagate malware, taking advantage of the trust and ubiquity these platforms command. The use of a cross-platform RAT further amplifies the threat, as it can operate across diverse environments, increasing the potential impact. Overall, this attack exemplifies the evolving tactics of sophisticated threat actors and the urgent need for enhanced security measures within software supply chains.

Why now?

This attack comes amid a rising wave of state-sponsored cyber operations targeting open-source platforms. Over the past 18 months, adversaries have increasingly exploited repositories like npm due to their extensive reach and the minimal barriers to distributing malicious code. The adoption of services such as Pastebin for C2 communications has grown because these platforms provide discreet channels that can bypass many conventional security defenses. This shift reflects a deliberate strategy by nation-states to exploit the inherent trust in open-source ecosystems, making it critical for organizations to evolve their security postures to address these emerging threats effectively.

So what?

The implications of this attack are significant, revealing critical vulnerabilities within the software supply chain that sophisticated adversaries can exploit. From an operational perspective, organizations must reassess how they manage and secure their open-source dependencies to reduce exposure to such threats. Continuous monitoring and rigorous auditing of third-party packages are essential to detect and mitigate malicious activity early. Moreover, the use of Pastebin as a C2 channel signals the need for security teams to enhance their detection capabilities, focusing on unconventional communication methods that may evade traditional monitoring tools. This requires updating threat intelligence frameworks and integrating new indicators of compromise related to such tactics.

What this means for you:

• For CISOs: Prioritize implementing comprehensive supply chain security strategies to safeguard against threats originating from open-source repositories.
• For SOC leads: Strengthen monitoring systems to identify anomalous C2 traffic, especially communications leveraging platforms like Pastebin.
• For threat intelligence analysts: Intensify efforts to detect patterns of state-sponsored activity within open-source ecosystems to proactively counter emerging threats.

Quick Hits

• Impact / Risk: Malicious npm packages used to distribute malware pose a serious threat to software supply chains and end-users.
• Operational Implication: Organizations need to reevaluate open-source dependency management and improve monitoring for non-traditional C2 channels.
• Action This Week: Conduct a thorough audit of all npm dependencies and update security protocols to detect Pastebin-based C2 communications.