Malware - Malicious npm Packages Deliver PylangGhost RAT
Basically, bad software hidden in popular coding tools can let hackers into your computer.
A new remote access trojan, PylangGhost, has infiltrated npm packages, posing a serious risk to developers. This malware, linked to North Korean hackers, could compromise entire organizations. Immediate action is essential to mitigate the threat.
What Happened
A remote access trojan (RAT) named PylangGhost has emerged on the npm registry, hidden within two malicious JavaScript packages. This malware, first reported by Cisco Talos in June 2025, is attributed to the North Korean state-sponsored group FAMOUS CHOLLIMA. Their strategy marks a significant escalation in software supply chain attacks, specifically targeting developers worldwide.
The malicious packages, published by a user named jaime9008, include @jaime9008/math-service and react-refresh-update. They were uploaded in late February and early March 2026, respectively. Both packages have undergone rapid updates, embedding the PylangGhost loader in crucial JavaScript files. This development highlights a calculated effort by FAMOUS CHOLLIMA to compromise development pipelines on a larger scale than ever before.
Who's Being Targeted
Developers who installed these malicious npm packages are at risk of having their systems compromised without any visible signs. The broader implications of this attack extend beyond individual developers, as npm packages are often integrated into large-scale projects and automated build systems. A single infected package can expose entire organizations to significant security threats.
The use of a convincing package name like react-refresh-update makes it easier for the malware to evade detection during routine dependency reviews. This stealthy approach allows the malware to execute its payload without raising suspicion, increasing the potential impact on development environments.
Signs of Infection
Once a developer installs an affected package, the infection chain begins. A JavaScript loader embedded in specific files executes automatically, following a decode-decrypt-evaluate sequence. It uses a hardcoded XOR key to unlock the hidden payload. The loader checks the operating system and adjusts its behavior accordingly.
On Windows machines, for instance, the malware downloads a ZIP archive from a specified domain in small increments to bypass network monitoring tools. This process remains invisible to the user, as it extracts files to the system’s temp directory and launches a VBScript file without user intervention. On macOS and Linux, a shell script is fetched and executed directly, further complicating detection efforts.
How to Protect Yourself
Developers and security teams must take immediate action to mitigate the risks associated with these malicious packages. They should audit their npm dependency trees for react-refresh-update and @jaime9008/math-service, removing any instances found. Additionally, blocking all network traffic to the command-and-control server at malicanbur[.]pro is crucial.
Integrating software composition analysis tools into build and deployment pipelines can help identify compromised packages before they reach production. Any unexpected network connections during package installation should be treated as a serious incident, warranting thorough investigation and remediation. By staying vigilant and proactive, developers can protect their systems and organizations from this sophisticated malware campaign.
Cyber Security News