Malicious npm packages deliver PylangGhost RAT in new software supply chain campaign

A new software supply chain campaign has pushed the PylangGhost remote access trojan through malicious npm packages, expanding a malware family previously tied to North Korean threat activity into one of the world’s most widely used developer ecosystems. Security researchers say the packages react-refresh-update and @jaime9008/math-service carried an obfuscated JavaScript loader that fetched platform-specific payloads for Windows, macOS, and Linux.

This is notable because Cisco Talos first disclosed PylangGhost in June 2025 as a Python-based RAT used by the North Korean-aligned actor Famous Chollima. Talos said the malware was functionally similar to GolangGhost and, at the time, mainly targeted people with cryptocurrency and blockchain experience through fake job lures. The new npm campaign suggests the malware is now being adapted for broader developer-focused delivery.

Research shared by Kmsec and indexed by lazarusholic shows the first observed npm instances appeared in late February and early March 2026 under the publisher name jaime9008, tied to the email [email protected]. The same reporting says this is the first observed case of PylangGhost showing up on npm, with hardcoded indicators including malicanbur.pro and 173.211.46.22:8080.

The package choice also looks deliberate. react-refresh-update closely resembles the name of Meta’s legitimate react-refresh package, which SafeDep says gets tens of millions of weekly downloads. That kind of naming can help a malicious package blend into normal dependency reviews, especially inside rushed CI/CD workflows or large JavaScript projects.

What happened

According to the published research trail, the malicious npm packages did not need to look obviously broken. Infected versions appeared to include a hidden loader in files such as runtime.js, babel.js, and lib/lib.js, while the rest of the package behaved normally enough to avoid immediate suspicion. That makes the campaign more dangerous because developers can pull the dependency and continue working without noticing anything unusual on screen.

The loader then decrypted and executed the next stage in memory. Researchers report that the code used a decode, decrypt, and evaluate flow, with a hardcoded XOR key, before checking the target operating system and downloading the relevant payload. Reporting on the campaign says the Windows path fetched a ZIP archive, extracted it into a temporary folder, and launched a VBScript file with wscript, while macOS and Linux pulled a shell script instead.

That cross-platform behavior marks a shift from the Windows and macOS focus Cisco Talos described in mid-2025. In Talos’ earlier write-up, Linux users were not targeted in those PylangGhost campaigns. The npm route appears broader, at least based on the available reporting around how the loader selects and downloads its next stage.

Why this campaign matters

The biggest risk is not limited to one developer laptop. npm packages often land inside build servers, shared internal tooling, and downstream products. A malicious dependency can therefore move from one local install into a much larger engineering environment if teams do not catch it early. SafeDep’s recent research on malicious npm abuse highlights how typosquatting and package impersonation continue to hit real developer workflows.

The campaign also matters because it shows how quickly threat actors iterate. Cisco Talos first documented PylangGhost in June 2025. By March 2026, outside researchers were already tracking what they describe as the malware’s first appearance on npm. That is a short development window for a malware family moving from targeted social engineering into open-source package delivery.

PylangGhost npm campaign summary

What developers should do now

• Check dependency trees and lockfiles for react-refresh-update and @jaime9008/math-service.
• Remove the packages and rebuild affected environments from a known clean state. This is the safer path because package removal alone does not prove the payload never executed.
• Block outbound traffic to the reported infrastructure, including malicanbur.pro and 173.211.46.22:8080.
• Review install-time network activity and script execution logs in CI runners and developer endpoints.
• Add package reputation checks, cooling-off rules, and software composition analysis before allowing new dependencies into production pipelines.

What stands out in this attack

This campaign did not rely on a fake GitHub interview page alone. It used the software supply chain itself as the delivery path, which can turn a single careless install into a wider organizational problem. That gives defenders less time to react because the malware can arrive through ordinary development behavior.

It also used naming that looks plausible at a glance. A package called react-refresh-update can slip past a rushed review because it sounds like a utility or update helper for a well-known React workflow. In modern teams that move quickly, attackers do not need a perfect disguise. They only need something that looks normal for a few minutes.

FAQ