Tracking DPRK operator IPs over time

2026-02-22 • Kmsec •

#NPM #FamousChollima

Thumbnail for Tracking DPRK operator IPs over time

The post tracks FAMOUS CHOLLIMA operator infrastructure by using npm publish notification emails exposed through insecure temporary-mail providers. The author says DPRK-linked npm operators used disposable domains registered through services such as emailfake.com, generator.email, tempm.com, and related infrastructure, allowing some inboxes to be viewed directly. Those inboxes revealed publish IPs over time, including repeated use of Astrill VPN, hide.me VPN, China Unicom, and a Russian TransTeleCom address `62[.]33[.]223[.]164` across malicious npm packages such as `chai-status`, `chai-max`, `fileupload-core`, and `web3-chain-sync`. The same temporary mailboxes also showed sign-ups to job platforms such as HireLatam and Bayt, supporting the link between package malware activity and Contagious Interview-style targeting workflows.

Indicators of Compromise

Type	Value	First Seen	Last Seen
IPv4	62.33.223.164	2026-02-22	2026-02-28
DOMAIN	mail.manupay.com	2026-02-22	2026-02-22
DOMAIN	desiys.com	2026-02-22	2026-02-22
DOMAIN	gameworldcompany.com	2026-02-22	2026-02-22
DOMAIN	aixind.com	2026-02-22	2026-02-22
DOMAIN	tempmailo.com	2026-02-22	2026-02-22
DOMAIN	photobrex.com	2026-02-22	2026-02-22
DOMAIN	email-temp.com	2026-02-22	2026-02-22
DOMAIN	mx1.hostinger.com	2026-02-22	2026-02-22
DOMAIN	muhaos.com	2026-02-22	2026-02-22
DOMAIN	weebd.de	2026-02-22	2026-02-22
DOMAIN	ytchanneltips.com	2026-02-22	2026-02-22
DOMAIN	xeana.co	2026-02-22	2026-02-22
DOMAIN	2insp.com	2026-02-22	2026-02-22
DOMAIN	azeriom.com	2026-02-22	2026-02-22
DOMAIN	47bmt.com	2026-02-22	2026-02-22
DOMAIN	internxt.com	2026-02-22	2026-02-22
DOMAIN	email-fake.com	2026-02-22	2026-02-22
DOMAIN	semutireng.com	2026-02-22	2026-02-22
DOMAIN	smtp.oneb.net	2026-02-22	2026-02-22
DOMAIN	deposin.com	2026-02-22	2026-02-22
DOMAIN	manupay.com	2026-02-22	2026-02-22
DOMAIN	mx1.privateemail.com	2026-02-22	2026-02-22
DOMAIN	phanmemmaxcare.com	2026-02-22	2026-02-22
DOMAIN	cleverbrainz.com	2026-02-22	2026-02-22
DOMAIN	hide.me	2026-02-22	2026-02-22
DOMAIN	temp-mail.io	2026-02-22	2026-02-22
DOMAIN	mail.muhaos.com	2026-02-22	2026-02-22
DOMAIN	tempm.com	2026-02-22	2026-02-22
DOMAIN	mail.wallywatts.com	2026-02-22	2026-02-22
DOMAIN	shabakinc.com	2026-02-22	2026-02-22
DOMAIN	mx.add5000.com	2026-02-22	2026-02-22
DOMAIN	icubik.com	2026-02-22	2026-02-22
DOMAIN	mail-fake.com	2026-02-22	2026-02-22
DOMAIN	quyinvis.net	2026-02-22	2026-02-22
DOMAIN	hopesx.com	2026-02-22	2026-02-22
DOMAIN	bayt.com	2026-02-22	2026-02-22
DOMAIN	kmsec-awesome-intel-service.uk	2026-02-22	2026-02-22
DOMAIN	flemist.com	2026-02-22	2026-02-22
DOMAIN	emailfake.com	2026-02-22	2026-02-22
DOMAIN	mail-temp.com	2026-02-22	2026-02-22
DOMAIN	temp-mail.org	2026-02-22	2026-02-22
DOMAIN	mail.wabblywabble.com	2026-02-22	2026-02-22
IPv4	37.115.26.54	2026-02-22	2026-02-22
IPv4	193.118.55.19	2026-02-22	2026-02-22
IPv4	88.216.2.162	2026-02-22	2026-02-22
IPv4	193.118.55.77	2026-02-22	2026-02-22
IPv4	203.160.80.72	2026-02-22	2026-02-22
IPv4	37.115.109.158	2026-02-22	2026-02-22
IPv4	67.43.59.10	2026-02-22	2026-02-22
IPv4	91.196.52.205	2026-02-22	2026-02-22
IPv4	193.118.55.17	2026-02-22	2026-02-22
IPv4	23.160.56.155	2026-01-21	2026-02-22
IPv4	64.32.17.130	2026-01-21	2026-02-22
IPv4	216.227.145.218	2026-01-21	2026-02-22
IPv4	103.125.234.210	2026-01-21	2026-02-22
DOMAIN	exitbit.com	2025-10-10	2026-02-22
DOMAIN	xuchuyen.com	2025-10-10	2026-02-22
DOMAIN	basemindway.com	2025-10-10	2026-02-22
DOMAIN	techspirehub.com	2025-10-10	2026-02-22
IPv4	77.247.126.189	2025-02-25	2026-02-22
IPv4	70.39.70.194	2025-02-25	2026-02-22