First instance of PylangGhost RAT observed on npm

This report documents discovery of PylangGhost RAT (attributed to DPRK FAMOUS CHOLLIMA) being distributed through malicious npm packages in Feb–Mar 2026. The author includes the decoded loader and a refactored JavaScript sample showing a chunked downloader, ZIP extraction and execution behavior, and provides IOCs (c2 domain malicanbur.pro, IP 173.211.46.22:8080 and a VirusTotal sample hash).