Tracking an OtterCookie Infostealer Campaign Across npm

Pulse ID: 69ddc21e3b9bc0b44e740eba
Pulse Link: https://otx.alienvault.com/pulse/69ddc21e3b9bc0b44e740eba
Pulse Author: Tr1sa111
Created: 2026-04-14 04:27:10

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CyberSecurity #InfoSec #InfoStealer #NPM #OTX #OpenThreatExchange #bot #Tr1sa111

Tracking an OtterCookie Infostealer Campaign Across npm

Pulse ID: 69ddc24bfd8638531b823198
Pulse Link: https://otx.alienvault.com/pulse/69ddc24bfd8638531b823198
Pulse Author: Tr1sa111
Created: 2026-04-14 04:27:55

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CyberSecurity #InfoSec #InfoStealer #NPM #OTX #OpenThreatExchange #bot #Tr1sa111

Tracking an OtterCookie Infostealer Campaign Across npm

Between April 6-9, 2026, multiple obfuscated malicious npm packages were identified as variants of the OtterCookie infostealer attributed to North Korean threat actors. The campaign employs a two-layer distribution strategy where benign wrapper packages clone legitimate libraries like big.js while pulling malicious dependencies containing the actual payload. Five malicious packages were identified, each containing obfuscated JavaScript files that execute via postinstall hooks. The toolchain steals credentials, files including Solana wallets and environment configurations, and exfiltrates data to Vercel-hosted C2 infrastructure. On Linux systems, it establishes persistence through SSH backdoor installation. The infrastructure overlaps with documented OtterCookie operations and connects to broader DPRK campaigns including Contagious Interview and Contagious Trader, demonstrating continued evolution in North Korean software supply chain attacks targeting developers.

Pulse ID: 69dd05a672cf30caf5d26e06
Pulse Link: https://otx.alienvault.com/pulse/69dd05a672cf30caf5d26e06
Pulse Author: AlienVault
Created: 2026-04-13 15:03:02

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#BackDoor #CyberSecurity #DPRK #InfoSec #InfoStealer #Java #JavaScript #Korea #Linux #NPM #NorthKorea #OTX #OpenThreatExchange #RAT #RCE #SSH #SupplyChain #bot #developers #AlienVault

Storm Infostealer Exploits Server-Side Decryption for Session Hijacking

Imagine if hackers could hijack your online sessions, bypassing even the strongest passwords and multifactor protections - a new infostealer called Storm makes this a chilling reality by exploiting server-side decryption to steal sensitive browser data. This sneaky malware allows attackers to take over your…

https://osintsights.com/storm-infostealer-exploits-server-side-decryption-for-session-hijacking?utm_source=mastodon&utm_medium=social

#StormInfostealer #SessionHijacking #MfaBypass #Infostealer #ServersideDecryption

📢⚠️⛔ Google Chrome rolled out an update that disrupts infostealer attacks by making stolen session cookies useless.

Read: https://hackread.com/google-chrome-update-infostealer-cookie-theft/

#Cybersecurity #Infostealer #Malware #Chrome #Google

#Google #Chrome adds #infostealer protection against session cookie theft

https://www.bleepingcomputer.com/news/security/google-chrome-adds-infostealer-protection-against-session-cookie-theft/

#cybersecurity

Google Chrome Bolsters Defenses Against Infostealer Cookie Heists

Google Chrome just got a major security boost with its new Device Bound Session Credentials feature, designed to prevent infostealers from swiping your session cookies and letting hackers impersonate you without a password. This update is a game-changer in the fight against cookie heists and stolen login…

https://osintsights.com/google-chrome-bolsters-defenses-against-infostealer-cookie-heists?utm_source=mastodon&utm_medium=social

#Infostealer #SessionCookieSecurity #DeviceBoundSessionCredentials #GoogleChrome #BrowserSecurity

New #macOS stealer campaign uses Script Editor in #ClickFix attack

https://www.bleepingcomputer.com/news/security/new-macos-stealer-campaign-uses-script-editor-in-clickfix-attack/

#cybersecurity #AtomicStealer #malware #infostealer #Apple

Stealer Campaign Impacting SLTT macOS Users

MacSync Stealer is a macOS infostealer operating as Malware-as-a-Service (MaaS), distributed through SEO poisoning and fake ClickFix CAPTCHAs. The campaign has evolved through three iterations since November 2025, shifting from fake download sites to malicious ChatGPT conversations and finally to sophisticated shell-based loaders with dynamic AppleScript payloads. Threat actors use Google-sponsored search results to redirect victims to fake CAPTCHA pages that trick users into executing malicious terminal commands. The stealer targets browser credentials, cryptocurrency wallets, SSH keys, cloud provider credentials, and Keychain data. A critical capability includes trojanizing Ledger hardware wallet applications to capture seed phrases. The February 2026 campaign generated over 18,000 clicks in three days, with Russian-language comments suggesting operators work within a Russian-speaking ecosystem. The malware employs API key-gated C2 infrastructure and in-memory execution for evasion.

Pulse ID: 69d7ed2e323d7edb856fa161
Pulse Link: https://otx.alienvault.com/pulse/69d7ed2e323d7edb856fa161
Pulse Author: AlienVault
Created: 2026-04-09 18:17:18

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Browser #CAPTCHA #ChatGPT #Cloud #CyberSecurity #Edge #Google #InfoSec #InfoStealer #MaaS #Mac #MacOS #Malware #MalwareAsAService #OTX #OpenThreatExchange #RAT #Russia #SEOPoisoning #SSH #Trojan #bot #cryptocurrency #AlienVault

Forschende von Jamf Threat berichten heute über eine neue Variante einer bekannten Cyberangriffsmethode. Der Angriff zielt auf Mac-Nutzende ab und nutzt eine ziemlich geschickte Täuschung, um Schadsoftware auf den Mac zu schleusen.

Mehr: https://digiprax.maniabel.work/archiv/1248

#infostealer #AtomicStealer #jamf #infosec #up2date #macOS #ScriptEditor #ClickFix