Novel DPRK stager using Pastebin and text steganography

### Executive summary Security researcher identified 17 malicious npm packages used by FAMOUS CHOLLIMA that embed an identical obfuscated JavaScript loader executed at install time; the loader fetches Pastebin posts, decodes a steganographic C2 list, and then pulls platform-specific remote payloads (Linux/macOS/Windows) from Vercel-hosted endpoints, enabling remote code execution. The report provides package names, a file SHA256, Pastebin links, decoded C2 domains, next-stage payload hashes, and concise hunting indicators.