DPRK npm packages

The finest (and largest?) collection of malicious npm packages attributed to North Korea on the internet.

These npm packages facilitate FAMOUS CHOLLIMA's Contagious Interview campaign. FAMOUS CHOLLIMA is a threat actor assessed to be directed by the Democratic People's Repubic of Korea (DPRK, North Korea).

Want data from a specific time period? Manipulate the UNIX timestamp (in ms) in the start and end parameters of the URL.

Want json? GET json by appending a json URL parameter.

Showing 41 malicious npm releases from 24 distinct packages distributed between 2025-12-13 and 2026-01-12

Released	Package	IOCs
2026-01-09	express-sessions-id (3.7.5) 2026-01-09	46f433992296efe48cf3bc30d5a67f595bea70bbef049dda5de1fbc803e1d4db cb2c1b0cdf9cb22b28726542c4ce033d2ad9197bbc6294bb176051a3e42355c4
2026-01-09	debug-glitz (1.0.3) 2026-01-09	b9c6c7e46c36d028c1d84f7802868fcff86839ca6023fad6319c83d9a0152db5
2026-01-09	debug-glitz (1.0.1) 2026-01-09	9f32aed55117b0d15fe04fa725aca1c622a0878230401c135f3680e4b6283d4e
2026-01-09	chai-as-executed (2.3.4) 2026-01-09	2359317c1678d1c45b2dd70c1d3687160fe3caf62465706f77a85d816490fff2 6f9e339186e9887a2af4af76b8002470d7c9a2a6dabccc2311d77a683f5ebfe9
2026-01-09	dotenv-expanded (3.3.5) 2026-01-09	d10853dde92fdc48d8cb5505d89e0030fd35e1416a16a820fe5ec4aceef01c4f e727cc7218ede7dba2620db10b4f0118eae5e960ac3b4447edce43d7c20d8b74
2026-01-09	chai-async-test (3.3.5) 2026-01-09	d10853dde92fdc48d8cb5505d89e0030fd35e1416a16a820fe5ec4aceef01c4f e727cc7218ede7dba2620db10b4f0118eae5e960ac3b4447edce43d7c20d8b74
2026-01-09	debug-glitz (1.0.0) 2026-01-09	320a06f98cbd836903b10965a35e7ab4d6e7b1a5329b3a614548cc4448ceab69
2026-01-08	jsonwebauth (1.1.7) 2026-01-08	`log-server-lovat.vercel.app` `https://log-server-lovat.vercel.app/api/ipcheck/703` `localhost:3000` `http://localhost:3000` 47c99e55e2fad0df0c07e9c4f2e276fe94a96b026e14b6197a6b5aaa2612faf5 52f9b127ab96986528921c8e695b1500ad079e1028825f73c69bd0f6e5d7afb9
2026-01-08	chai-chain-async (2.4.3) 2026-01-08	257e2527270f7c9a252b8fbda0e2ba9b37e52255454ebe0dfa462506deb07dfa dd1d584c6b4cdb1c034cf1f6ac3ce112aef5636ffd30d84aea361f2712192154
2026-01-08	chai-dex (2.4.2) 2026-01-08	9624e1f4ddbfdc3234c4d71012b0f5f649b0220a98222cf347c046d5e9206954
2026-01-08	chai-as-executed (2.3.3) 2026-01-08	4e698e3d00cff17ed5b216322cd70289626c440635979e2d5fbad1e85a0295e7 799891384a07ea3e487eeade3cb6101d2642d4744d9fc659b58567934a72b137
2026-01-08	chai-as-enhanced (4.3.2) 2026-01-08	109929615f1e33a5cd25a9e33e91103e221d30559c69cb9076833147fdf8c27f 3423a825b36ee04e7e481634deddf76b7908f37a8636308ab02a0bc2b1b30416
2026-01-08	express-sessions-id (3.7.3) 2026-01-08	3d2c91bf7a699f1afc47e4b483e29fb4abadfb195ca629c16048852865a99783 cb2c1b0cdf9cb22b28726542c4ce033d2ad9197bbc6294bb176051a3e42355c4
2026-01-07	json-mapping-web (2.3.9) 2026-01-07	ca6026571c66d74a352bb001b7d886132bfd5990cad67d0e17e5d884ed7985e7 cb2c1b0cdf9cb22b28726542c4ce033d2ad9197bbc6294bb176051a3e42355c4
2026-01-07	express-sessions-id (3.7.2) 2026-01-07	5ecf13cef72febb0d7015bbaea6a6a9e7c9835967f8bdc2067cc57429b478ae7 cb2c1b0cdf9cb22b28726542c4ce033d2ad9197bbc6294bb176051a3e42355c4
2026-01-07	aligntype (3.3.9) 2026-01-07	cb2c1b0cdf9cb22b28726542c4ce033d2ad9197bbc6294bb176051a3e42355c4 d4b21bbca73684352a1c21a86b733f0d71890f4bd778f3fa162831515e2ba90e
2026-01-05	chai-await-chain (2.4.3) 2026-01-05	257e2527270f7c9a252b8fbda0e2ba9b37e52255454ebe0dfa462506deb07dfa dd1d584c6b4cdb1c034cf1f6ac3ce112aef5636ffd30d84aea361f2712192154
2026-01-05	chai-await-chain (2.4.2) 2026-01-05	257e2527270f7c9a252b8fbda0e2ba9b37e52255454ebe0dfa462506deb07dfa dd1d584c6b4cdb1c034cf1f6ac3ce112aef5636ffd30d84aea361f2712192154
2026-01-03	chai-as-executed (2.3.2) 2026-01-03	0484d8c54a472cf503458031d3559713d77de1e100a2a2b15470b9d1dcf980d4 28e2d08067e62cf88936ce6dbb8d94bc14cf4fdf79be1521e8118ada3ca6fde6
2025-12-30	aligntype (3.3.8) 2025-12-30	7bfa769810c8b3178c75bc58ab6ef399dd4edf475daf09beef873854ad45acdd cb2c1b0cdf9cb22b28726542c4ce033d2ad9197bbc6294bb176051a3e42355c4
2025-12-26	passport-google-auth-token (1.0.18) 2025-12-26	`${methodName.toLowerCase()}.vercel.app` `https://${methodName.toLowerCase()}.vercel.app/checkStatus?id=${self._scope.join()}` f9ea885207228b281762ae0d436d2af66b834c18578a3777688b7df6a7fe0015
2025-12-26	passport-google-auth-token (1.0.16) 2025-12-26
2025-12-26	tailwindcss-forms-kit (1.0.0) 2025-12-26	`cloudflare.com` `fastly.net` `keyIcon.com` `akamai.net` `cloudfront.net` `gcorelabs.com` `vercel.app` 57fa271b1add1fb621ab413044a16e45eb413c43d80d2545534372d2ee62a776
2025-12-26	passport-google-auth-token (1.0.15) 2025-12-26
2025-12-26	passport-google-auth-token (1.0.14) 2025-12-26
2025-12-26	passport-google-auth-token (1.0.13) 2025-12-26
2025-12-24	chai-tests-async (3.3.5) 2025-12-24	d10853dde92fdc48d8cb5505d89e0030fd35e1416a16a820fe5ec4aceef01c4f e727cc7218ede7dba2620db10b4f0118eae5e960ac3b4447edce43d7c20d8b74
2025-12-24	dotenv-intended (3.3.5) 2025-12-24	d10853dde92fdc48d8cb5505d89e0030fd35e1416a16a820fe5ec4aceef01c4f e727cc7218ede7dba2620db10b4f0118eae5e960ac3b4447edce43d7c20d8b74
2025-12-24	ncodeauth (1.1.7) 2025-12-24	`23.` `ap` `http://23.` `https://ap` `log-server-lovat.vercel.app` `https://log-server-lovat.vercel.app/api/ipcheck/703` `localhost:3000` `http://localhost:3000` 47c99e55e2fad0df0c07e9c4f2e276fe94a96b026e14b6197a6b5aaa2612faf5 52f9b127ab96986528921c8e695b1500ad079e1028825f73c69bd0f6e5d7afb9 68e6742e29531623c02b8ab7956769efe7183925b643145067850caf74539936
2025-12-23	chai-min (2.4.2) 2025-12-23	9624e1f4ddbfdc3234c4d71012b0f5f649b0220a98222cf347c046d5e9206954
2025-12-23	chai-as-enhanced (4.3.0) 2025-12-23
2025-12-22	chai-as-required (2.3.2) 2025-12-22	5230f0d52cb1fd3dc86b91f0133ffda9d0a9a0a59219b22d8caf4e40c270c82f f2a2fcc303758fc12a7e1d3c4dedff76a2c653f3759d931ac0597690ec25a20a
2025-12-19	chai-bin (1.1.7) 2025-12-19	6074abde1065b7fb2ab8d23885a183817dead4053b8a2f2dd6c91e81247ec5d7 d10853dde92fdc48d8cb5505d89e0030fd35e1416a16a820fe5ec4aceef01c4f
2025-12-19	error-fallback (2.4.2) 2025-12-19	257e2527270f7c9a252b8fbda0e2ba9b37e52255454ebe0dfa462506deb07dfa dd1d584c6b4cdb1c034cf1f6ac3ce112aef5636ffd30d84aea361f2712192154
2025-12-18	passport-google-auth-token (1.0.12) 2025-12-18
2025-12-16	react-svg-anchor (1.0.0) 2025-12-16	`cloudflare.com` `fastly.net` `keyIcon.com` `akamai.net` `cloudfront.net` `gcorelabs.com` `vercel.app` 002b0ace495286d7cae574d9423b6fabdc22cbe5317135290087bbf6759eac2a
2025-12-16	dotenv-extend (3.3.5) 2025-12-16	d10853dde92fdc48d8cb5505d89e0030fd35e1416a16a820fe5ec4aceef01c4f e727cc7218ede7dba2620db10b4f0118eae5e960ac3b4447edce43d7c20d8b74
2025-12-16	chai-promised-chains (2.4.2) 2025-12-16	257e2527270f7c9a252b8fbda0e2ba9b37e52255454ebe0dfa462506deb07dfa dd1d584c6b4cdb1c034cf1f6ac3ce112aef5636ffd30d84aea361f2712192154
2025-12-15	passport-google-auth-token (1.0.11) 2025-12-15
2025-12-15	passport-google-auth-token (1.0.10) 2025-12-15
2025-12-14	passport-google-auth-token (1.0.9) 2025-12-14

About this collection

FAMOUS CHOLLIMA has been facilitating the Contagious Interview campaign by deploying npm packages to the npm registry as early as August 2024. I have been actively tracking FAMOUS CHOLLIMA’s package distributions since ~February 2025 and in July 2025 I opened the collection to the public.

Every package and version listed here has been manually attributed to FAMOUS CHOLLIMA with high confidence based on the characteristics of the alleged maintainer, the package contents, the indicators, and the malware behaviour (if I’ve made a mistake, please contact me below).

The IOCs represent only the earliest stages of an infection chain. Typically these packages are designed to execute remote content that facilitates further infection (i.e. OtterCookie, BEAVERTAIL, et. al.) and involve more indicators than are visible here.

This collection is not an exhaustive list. Packages slip through my hunting and attribution process. Other researchers have discovered some too, but I believe this is the largest open collection of Contagious Interview npm packages on the internet.

Time permitting, I intend to share some technical details of my tracking and some notable findings (I really should update my blog). In the meantime, I recommend socket.dev’s series of posts on the campaign. They have done a really great job of reporting on the campaign in detail:

January 2025 - North Korean APT Lazarus Targets Developers with Malicious npm Package
March 2025 - Lazarus Strikes npm Again with New Wave of Malicious Packages
April 2025 - Lazarus Expands Malicious npm Campaign: 11 New Packages Add Malware Loaders and Bitbucket Payloads
June 2025 - Another Wave: North Korean Contagious Interview Campaign Drops 35 New Malicious npm Packages
October 2025 - North Korea’s Contagious Interview Campaign Escalates: 338 Malicious npm Packages, 50,000 Downloads - Thanks for the credit!

Want to get in touch? Contact dprk-research[@]pm[.]me.