DPRK npm packages

The finest (and largest?) collection of malicious npm packages attributed to North Korea on the internet.

These npm packages facilitate FAMOUS CHOLLIMA's Contagious Interview campaign. FAMOUS CHOLLIMA is a threat actor assessed to be directed by the Democratic People's Repubic of Korea (DPRK, North Korea).

Want data from a specific time period? Manipulate the UNIX timestamp (in ms) in the start and end parameters of the URL.

Want json? GET json by appending a json URL parameter.

Showing 57 malicious npm releases from 37 distinct packages distributed between 2025-12-24 and 2026-01-23

Released	Package	IOCs
2026-01-22	align-configer (3.4.3) 2026-01-22	cb2c1b0cdf9cb22b28726542c4ce033d2ad9197bbc6294bb176051a3e42355c4 d4b21bbca73684352a1c21a86b733f0d71890f4bd778f3fa162831515e2ba90e
2026-01-22	align-configer (3.4.2) 2026-01-22	7ada00ae3d61483d08b28c66095eaf1ed75f16f2f03b9508a9c892d8f040cf3d cb2c1b0cdf9cb22b28726542c4ce033d2ad9197bbc6294bb176051a3e42355c4
2026-01-22	jwt-pack (1.1.7) 2026-01-22	`log-server-lovat.vercel.app` `https://log-server-lovat.vercel.app/api/ipcheck/703` `localhost:3000` `http://localhost:3000` 47c99e55e2fad0df0c07e9c4f2e276fe94a96b026e14b6197a6b5aaa2612faf5 52f9b127ab96986528921c8e695b1500ad079e1028825f73c69bd0f6e5d7afb9
2026-01-22	aligntypeer (3.3.9) 2026-01-22	7ada00ae3d61483d08b28c66095eaf1ed75f16f2f03b9508a9c892d8f040cf3d cb2c1b0cdf9cb22b28726542c4ce033d2ad9197bbc6294bb176051a3e42355c4
2026-01-21	svg-sanitizer-tool (1.0.5) 2026-01-21	`www.jsonkeeper.com` `https://www.jsonkeeper.com/b/RMDXG` dd587fd6b31cd79c3cd0a3385b7e0b1d0909730e6ce538ffd193799ff422a22e
2026-01-21	svg-sanitizer-tool (1.0.4) 2026-01-21	`www.jsonkeeper.com` `https://www.jsonkeeper.com/b/RMDXG` 7b3921f161761bc199c0b2ed5fbbea361ab75381665ae55d615f1e25ba29d124
2026-01-21	svg-sanitizer-tool (1.0.3) 2026-01-21	7a19ba7554c032b1960341146fba8939337a96ac368406a88bc77bd27138da83
2026-01-21	svg-sanitizer-tool (1.0.2) 2026-01-21	2b74083928c998b202972da9680b9fb8df2578b73795ffcb9b76691c8f6b01ab
2026-01-21	svg-sanitizer-tool (1.0.0) 2026-01-21	0c7240b639437a45389e0671e1b00d8d18080c96e54460824013514e6d138c01
2026-01-21	aligntyper (3.3.9) 2026-01-21	cb2c1b0cdf9cb22b28726542c4ce033d2ad9197bbc6294bb176051a3e42355c4 d4b21bbca73684352a1c21a86b733f0d71890f4bd778f3fa162831515e2ba90e
2026-01-21	react-svg-handler (1.0.1) 2026-01-21	`cloudflare.com` `fastly.net` `keyIcon.com` `akamai.net` `cloudfront.net` `gcorelabs.com` 83888031cdd375aadc1f8dbbe7bded75147c82c0e2769270936f40984229709f
2026-01-21	chai-px (2.4.2) 2026-01-21	9624e1f4ddbfdc3234c4d71012b0f5f649b0220a98222cf347c046d5e9206954
2026-01-21	chai-chains-async (2.4.3) 2026-01-21	257e2527270f7c9a252b8fbda0e2ba9b37e52255454ebe0dfa462506deb07dfa dd1d584c6b4cdb1c034cf1f6ac3ce112aef5636ffd30d84aea361f2712192154
2026-01-21	js-copack (1.1.8) 2026-01-21	`log-server-lovat.vercel.app` `https://log-server-lovat.vercel.app/api/ipcheck/703` `localhost:3000` `http://localhost:3000` 47c99e55e2fad0df0c07e9c4f2e276fe94a96b026e14b6197a6b5aaa2612faf5 52f9b127ab96986528921c8e695b1500ad079e1028825f73c69bd0f6e5d7afb9
2026-01-21	dotenv-embed (3.3.5) 2026-01-21	d10853dde92fdc48d8cb5505d89e0030fd35e1416a16a820fe5ec4aceef01c4f e727cc7218ede7dba2620db10b4f0118eae5e960ac3b4447edce43d7c20d8b74
2026-01-21	chai-async-tests (3.3.5) 2026-01-21	d10853dde92fdc48d8cb5505d89e0030fd35e1416a16a820fe5ec4aceef01c4f e727cc7218ede7dba2620db10b4f0118eae5e960ac3b4447edce43d7c20d8b74
2026-01-21	js-copack (1.1.7) 2026-01-21	`log-server-lovat.vercel.app` `https://log-server-lovat.vercel.app/api/ipcheck/703` `localhost:3000` `http://localhost:3000` 47c99e55e2fad0df0c07e9c4f2e276fe94a96b026e14b6197a6b5aaa2612faf5 52f9b127ab96986528921c8e695b1500ad079e1028825f73c69bd0f6e5d7afb9
2026-01-20	chai-sub (1.1.7) 2026-01-20	6074abde1065b7fb2ab8d23885a183817dead4053b8a2f2dd6c91e81247ec5d7 d10853dde92fdc48d8cb5505d89e0030fd35e1416a16a820fe5ec4aceef01c4f
2026-01-19	tailwindcss-forms-bundler (1.3.7) 2026-01-19	`cloudflare.com` `fastly.net` `keyIcon.com` `akamai.net` `cloudfront.net` `gcorelabs.com` `vercel.app` 3b1fa77b4fad8edcacec3cbe5adb3a1e8ea24fead9a5d39b762570f3b15bcea2
2026-01-19	react-toast-cold (2.6.0) 2026-01-19	`vscode-ext-git.vercel.app` `https://vscode-ext-git.vercel.app/api/m?token=THKASDFOWG` `https://vscode-ext-git.vercel.app/api/l?token=THKASDFOWG` b597a8de6bc4ef12c62ad6c05636f5214e5398669ce0786c5c359734c92cdd5a
2026-01-19	chai-as-hashed (2.3.4) 2026-01-19	2359317c1678d1c45b2dd70c1d3687160fe3caf62465706f77a85d816490fff2 6f9e339186e9887a2af4af76b8002470d7c9a2a6dabccc2311d77a683f5ebfe9
2026-01-16	chai-as-extended (5.0.1) 2026-01-16	109929615f1e33a5cd25a9e33e91103e221d30559c69cb9076833147fdf8c27f 3423a825b36ee04e7e481634deddf76b7908f37a8636308ab02a0bc2b1b30416
2026-01-14	debug-glitzs (1.0.1) 2026-01-14	`fundraiser-success.vercel.app` cf04db3d87844c93443e7ea77ce9da8ed7b2fe95a63a992add8d6f3851a4adb0
2026-01-14	debug-glitzs (1.0.0) 2026-01-14	`fundraiser-success.vercel.app` 1215e4646d74c7078ae8ecd7f4d48041fe4a4ce16e11e6209e7f634000302722
2026-01-13	fileupload-core (2.4.3) 2026-01-13	257e2527270f7c9a252b8fbda0e2ba9b37e52255454ebe0dfa462506deb07dfa dd1d584c6b4cdb1c034cf1f6ac3ce112aef5636ffd30d84aea361f2712192154
2026-01-13	https-emailjs (7.0.14) 2026-01-13	`vscode-ext-git.vercel.app` `https://vscode-ext-git.vercel.app/api/m?token=THKASDFOWG` `https://vscode-ext-git.vercel.app/api/l?token=THKASDFOWG` 3f15eb2cca419a56ef529bea1bf08429e5d93363bcac8085a6aaa08b9878c511 952aaf0ce09b609fc32c882599a693dc9a554f10dbf0b35fc8bc35fd23e4f9a3
2026-01-12	fileuploadcore (2.4.3) 2026-01-12	257e2527270f7c9a252b8fbda0e2ba9b37e52255454ebe0dfa462506deb07dfa dd1d584c6b4cdb1c034cf1f6ac3ce112aef5636ffd30d84aea361f2712192154
2026-01-12	express-lists-routes (3.7.5) 2026-01-12	46f433992296efe48cf3bc30d5a67f595bea70bbef049dda5de1fbc803e1d4db cb2c1b0cdf9cb22b28726542c4ce033d2ad9197bbc6294bb176051a3e42355c4
2026-01-11	https-emailjs (7.0.13) 2026-01-11
2026-01-09	express-sessions-id (3.7.5) 2026-01-09	46f433992296efe48cf3bc30d5a67f595bea70bbef049dda5de1fbc803e1d4db cb2c1b0cdf9cb22b28726542c4ce033d2ad9197bbc6294bb176051a3e42355c4
2026-01-09	debug-glitz (1.0.3) 2026-01-09	b9c6c7e46c36d028c1d84f7802868fcff86839ca6023fad6319c83d9a0152db5
2026-01-09	debug-glitz (1.0.1) 2026-01-09	9f32aed55117b0d15fe04fa725aca1c622a0878230401c135f3680e4b6283d4e
2026-01-09	chai-as-executed (2.3.4) 2026-01-09	2359317c1678d1c45b2dd70c1d3687160fe3caf62465706f77a85d816490fff2 6f9e339186e9887a2af4af76b8002470d7c9a2a6dabccc2311d77a683f5ebfe9
2026-01-09	dotenv-expanded (3.3.5) 2026-01-09	d10853dde92fdc48d8cb5505d89e0030fd35e1416a16a820fe5ec4aceef01c4f e727cc7218ede7dba2620db10b4f0118eae5e960ac3b4447edce43d7c20d8b74
2026-01-09	chai-async-test (3.3.5) 2026-01-09	d10853dde92fdc48d8cb5505d89e0030fd35e1416a16a820fe5ec4aceef01c4f e727cc7218ede7dba2620db10b4f0118eae5e960ac3b4447edce43d7c20d8b74
2026-01-09	debug-glitz (1.0.0) 2026-01-09	320a06f98cbd836903b10965a35e7ab4d6e7b1a5329b3a614548cc4448ceab69
2026-01-08	jsonwebauth (1.1.7) 2026-01-08	`log-server-lovat.vercel.app` `https://log-server-lovat.vercel.app/api/ipcheck/703` `localhost:3000` `http://localhost:3000` 47c99e55e2fad0df0c07e9c4f2e276fe94a96b026e14b6197a6b5aaa2612faf5 52f9b127ab96986528921c8e695b1500ad079e1028825f73c69bd0f6e5d7afb9
2026-01-08	chai-chain-async (2.4.3) 2026-01-08	257e2527270f7c9a252b8fbda0e2ba9b37e52255454ebe0dfa462506deb07dfa dd1d584c6b4cdb1c034cf1f6ac3ce112aef5636ffd30d84aea361f2712192154
2026-01-08	chai-dex (2.4.2) 2026-01-08	9624e1f4ddbfdc3234c4d71012b0f5f649b0220a98222cf347c046d5e9206954
2026-01-08	chai-as-executed (2.3.3) 2026-01-08	4e698e3d00cff17ed5b216322cd70289626c440635979e2d5fbad1e85a0295e7 799891384a07ea3e487eeade3cb6101d2642d4744d9fc659b58567934a72b137
2026-01-08	chai-as-enhanced (4.3.2) 2026-01-08	109929615f1e33a5cd25a9e33e91103e221d30559c69cb9076833147fdf8c27f 3423a825b36ee04e7e481634deddf76b7908f37a8636308ab02a0bc2b1b30416
2026-01-08	express-sessions-id (3.7.3) 2026-01-08	3d2c91bf7a699f1afc47e4b483e29fb4abadfb195ca629c16048852865a99783 cb2c1b0cdf9cb22b28726542c4ce033d2ad9197bbc6294bb176051a3e42355c4
2026-01-07	json-mapping-web (2.3.9) 2026-01-07	ca6026571c66d74a352bb001b7d886132bfd5990cad67d0e17e5d884ed7985e7 cb2c1b0cdf9cb22b28726542c4ce033d2ad9197bbc6294bb176051a3e42355c4
2026-01-07	express-sessions-id (3.7.2) 2026-01-07	5ecf13cef72febb0d7015bbaea6a6a9e7c9835967f8bdc2067cc57429b478ae7 cb2c1b0cdf9cb22b28726542c4ce033d2ad9197bbc6294bb176051a3e42355c4
2026-01-07	aligntype (3.3.9) 2026-01-07	cb2c1b0cdf9cb22b28726542c4ce033d2ad9197bbc6294bb176051a3e42355c4 d4b21bbca73684352a1c21a86b733f0d71890f4bd778f3fa162831515e2ba90e
2026-01-05	chai-await-chain (2.4.3) 2026-01-05	257e2527270f7c9a252b8fbda0e2ba9b37e52255454ebe0dfa462506deb07dfa dd1d584c6b4cdb1c034cf1f6ac3ce112aef5636ffd30d84aea361f2712192154
2026-01-05	chai-await-chain (2.4.2) 2026-01-05	257e2527270f7c9a252b8fbda0e2ba9b37e52255454ebe0dfa462506deb07dfa dd1d584c6b4cdb1c034cf1f6ac3ce112aef5636ffd30d84aea361f2712192154
2026-01-03	chai-as-executed (2.3.2) 2026-01-03	0484d8c54a472cf503458031d3559713d77de1e100a2a2b15470b9d1dcf980d4 28e2d08067e62cf88936ce6dbb8d94bc14cf4fdf79be1521e8118ada3ca6fde6
2025-12-30	aligntype (3.3.8) 2025-12-30	7bfa769810c8b3178c75bc58ab6ef399dd4edf475daf09beef873854ad45acdd cb2c1b0cdf9cb22b28726542c4ce033d2ad9197bbc6294bb176051a3e42355c4
2025-12-26	passport-google-auth-token (1.0.18) 2025-12-26	`${methodName.toLowerCase()}.vercel.app` `https://${methodName.toLowerCase()}.vercel.app/checkStatus?id=${self._scope.join()}` f9ea885207228b281762ae0d436d2af66b834c18578a3777688b7df6a7fe0015
2025-12-26	passport-google-auth-token (1.0.16) 2025-12-26
2025-12-26	tailwindcss-forms-kit (1.0.0) 2025-12-26	`cloudflare.com` `fastly.net` `keyIcon.com` `akamai.net` `cloudfront.net` `gcorelabs.com` `vercel.app` 57fa271b1add1fb621ab413044a16e45eb413c43d80d2545534372d2ee62a776
2025-12-26	passport-google-auth-token (1.0.15) 2025-12-26
2025-12-26	passport-google-auth-token (1.0.14) 2025-12-26
2025-12-26	passport-google-auth-token (1.0.13) 2025-12-26
2025-12-24	chai-tests-async (3.3.5) 2025-12-24	d10853dde92fdc48d8cb5505d89e0030fd35e1416a16a820fe5ec4aceef01c4f e727cc7218ede7dba2620db10b4f0118eae5e960ac3b4447edce43d7c20d8b74
2025-12-24	dotenv-intended (3.3.5) 2025-12-24	d10853dde92fdc48d8cb5505d89e0030fd35e1416a16a820fe5ec4aceef01c4f e727cc7218ede7dba2620db10b4f0118eae5e960ac3b4447edce43d7c20d8b74

About this collection

FAMOUS CHOLLIMA has been facilitating the Contagious Interview campaign by deploying npm packages to the npm registry as early as August 2024. I have been actively tracking FAMOUS CHOLLIMA’s package distributions since ~February 2025 and in July 2025 I opened the collection to the public.

Every package and version listed here has been manually attributed to FAMOUS CHOLLIMA with high confidence based on the characteristics of the alleged maintainer, the package contents, the indicators, and the malware behaviour (if I’ve made a mistake, please contact me below).

The IOCs represent only the earliest stages of an infection chain. Typically these packages are designed to execute remote content that facilitates further infection (i.e. OtterCookie, BEAVERTAIL, et. al.) and involve more indicators than are visible here.

This collection is not an exhaustive list. Packages slip through my hunting and attribution process. Other researchers have discovered some too, but I believe this is the largest open collection of Contagious Interview npm packages on the internet.

Time permitting, I intend to share some technical details of my tracking and some notable findings (I really should update my blog). In the meantime, I recommend socket.dev’s series of posts on the campaign. They have done a really great job of reporting on the campaign in detail:

January 2025 - North Korean APT Lazarus Targets Developers with Malicious npm Package
March 2025 - Lazarus Strikes npm Again with New Wave of Malicious Packages
April 2025 - Lazarus Expands Malicious npm Campaign: 11 New Packages Add Malware Loaders and Bitbucket Payloads
June 2025 - Another Wave: North Korean Contagious Interview Campaign Drops 35 New Malicious npm Packages
October 2025 - North Korea’s Contagious Interview Campaign Escalates: 338 Malicious npm Packages, 50,000 Downloads - Thanks for the credit!

Want to get in touch? Contact dprk-research[@]pm[.]me.