GoPlus Warns of 26 Malicious npm Packages Tied to North Korean "Famous Chollima" Campaign

GoPlus Chinese Community warned on X on March 3 that 26 malicious packages allegedly linked to North Korean hackers have been published on the npm registry, each containing an "install.js" script that executes during installation and triggers harmful code in "vendor/scryptjs/version.js". The code downloads and runs a remote access trojan via a single malicious URL, enabling keylogging, clipboard data theft, browser credential harvesting, TruffleHog-based secret scanning, Git repository exfiltration, and SSH key theft in an operation associated with the "Famous Chollima" hacking campaign. Users and developers are advised to verify package sources and security before installation to avoid the following 26 npm packages and reduce risks of privacy breaches or asset loss: argonist@0.41.0, bcryptance@6.5.2, beequarl@2.1.2, bubblecore@6.26.2, corstoken@2.14.7, daytonjs@1.11.20, etherlint@5.9.4, expressjslint@5.3.2, fastifylint@5.8.0, formmiderable@3.5.7, hapilint@19.1.2, iosysredis@5.13.2, jslintconfig@10.22.2, jsnwebapptoken@8.40.2, kafkajslint@2.21.3, loadashlint@4.17.24, mqttoken@5.40.2, prismlint@7.4.2, promanage@6.0.21, sequelization@6.40.2, typoriem@0.4.17, undicylint@7.23.1, uuindex@13.1.0, vitetestlint@4.1.21, windowston@3.19.2, zoddle@4.4.2.