Malicious npm Packages Deliver PylangGhost RAT in New Software Supply Chain Campaign

PylangGhost, a remote access trojan, has been found for the first time on the npm registry, hidden inside two harmful JavaScript packages This article explores attacks software supply. . Cisco Talos first made the malware public in June 2025.

It is linked to the North Korean state-sponsored threat group FAMOUS CHOLLIMA. This is a big step up in attacks on software supply chains that target developers all over the world. People have been keeping an eye on PylangGhost for months as part of coordinated efforts linked to North Korean cyber operations. FAMOUS CHOLLIMA is well known in the security community for using trojanized code repositories, fake job offers, and social engineering to get into systems without permission.

The group's planned move to npm, one of the most popular open-source package registries in the world, shows that they are trying to disrupt development pipelines on a much larger scale than before. At the perimeter, all network traffic to malicanbur[. ]pro and 173.211.46[.

]22:8080 should be stopped. Adding software composition analysis tools to build and deployment pipelines helps find broken packages before they get to production. If you notice any unexpected network connections while installing a package, you should treat them as a serious incident and look into them right away. Set ZeroOwl as your preferred source in Google, and follow ZeroOwl on Facebook, Twitter, and LinkedIn to get more updates right away.