Back

NPM Packages Distribute PylangGhost RAT in Supply Chain Attack

Severity: High (Score: 77.0)

Sources: Cybersecuritynews, Gbhackers

Summary

Malicious npm packages have been identified as vehicles for the PylangGhost remote access trojan (RAT), linked to North Korean state-sponsored group FAMOUS CHOLLIMA. The attack began with the release of compromised versions of the packages @jaime9008/math-service (1.0.1–1.0.2) in late February 2026, followed by react-refresh-update (1.0.1–1.0.4) on March 1, 2026. These packages target developers across Windows, Linux, and macOS systems. Earlier versions of these packages were found to be benign. The malware was first disclosed by Cisco Talos in June 2025, indicating a significant escalation in software supply chain attacks. Developers using these npm packages are at risk of unauthorized access to their systems. The current status of the attack is ongoing, with security professionals urged to remain vigilant. Key Points: • Malicious npm packages are spreading the PylangGhost RAT, targeting multiple OS platforms. • The attack is linked to the North Korean state-sponsored group FAMOUS CHOLLIMA. • Developers are advised to check their npm packages for the compromised versions.

Key Entities

  • FAMOUS CHOLLIMA (apt_group)
  • Supply Chain Attack (attack_type)
  • Trojan (attack_type)
  • PylangGhost (malware)
  • T1195 - Supply Chain Compromise (mitre_attack)
  • Linux (platform)
  • MacOS (platform)
  • Windows (platform)
  • Npm (tool)
  • Jaime9008/math-service (tool)
  • React-refresh-update (tool)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed