npm Malware, Fake Devs, and Deepfake Videos These Are A Few of My Favorite DPRK Things
npm Malware, Fake Devs, and Deepfake Videos: These Are A Few of My Favorite DPRK Things
What started as a quick look into a suspicious GitHub organization turned into a much deeper rabbit hole with an active npm backdoor, more than a dozen fake developer personas, and recruitment posts looking for overseas facilitators. Individually, there’s a lot of interesting pieces here, but together they map closely to documented DPRK tradecraft. The investigation started with a GitHub organization called Mentonex. At first glance, it looks almost like a legitimate company, but a few things immediately stood out:
- The branding all appeared to be AI-generated.
- Several contributing accounts were newly created with inactive LinkedIn profiles.
- Repositories all appeared to be projects that were taken from other users or repos.
Digging into the repositories made it clear that something was a little off. One repository in particular stood out, mentonex-agent, as it had some unusual imports in the file backend/src/utils/logger.js. While pino is a legitimate and widely used Node.js logging library, logkitx is not. It presents itself as a simple debug integration for pino. But looking one level deeper reveals a different story. The logkitx package pulls in another dependency: logger-base, which in turn imports dev-log-core. At this point, the structure starts to look intentional. Each package adds just enough legitimacy to mask the final stage: dev-log-core. All three packages were published under the same npm account (aokisasakidev1) within roughly 90 minutes of each other on January 29, 2026. The final package, dev-log-core, contains the actual payload.
The behavior inside dev-log-core/src/common.js tells a different story. When triggered, the code constructs a remote URL, sends identifying information (namespaces), retrieves a base64-encoded response, and decodes and executes it dynamically using new Function(). In other words, it silently pulls and runs attacker-controlled code. The endpoint as of writing used for this behavior: logkit-tau.vercel.app. This effectively creates a backdoor with full access to:
- The filesystem
- Network connectivity
- Child processes
Reviewing the versions of dev-log-core reveals some changes and previous domains that were used as part of the C2 infrastructure. On Jan 29, 2026, dev-log-core v1.0.0 was published with initial C2: ngrok-free.vercel.app. By Feb 3, 2026, v1.0.3 was published with C2 rotation #1 to logkit.vercel.app, and v1.0.4 added retry logic and a 60s timeout. On Mar 16, 2026, v1.0.5 was published with C2 rotation #2 to logkit-tau.vercel.app.
Microsoft Defender’s February 2026 report “Developer-targeting campaign using malicious Next.js repositories” documents the same Vercel C2 architecture, execution primitive, and victim fingerprinting mechanism identified in dev-log-core, and attributes the campaign to a North Korea-linked threat cluster. The npm package logger-base lists its repository as github.com/aokisasakidev/logger-base. That URL now redirects to github.com/golangorg/logger-base – a different GitHub account entirely. The actor renamed the aokisasakidev account to golangorg after the packages were published, likely in an attempt to blend the malicious infrastructure into a name that resembles a legitimate Go programming language organization.