Tracking an OtterCookie Infostealer Campaign Across npm

Between April 6-9, 2026, multiple obfuscated malicious npm packages were identified as variants of the OtterCookie infostealer attributed to North Korean threat actors. The campaign employs a two-layer distribution strategy where benign wrapper packages clone legitimate libraries like big.js while pulling malicious dependencies containing the actual payload. Five malicious packages were identified, each containing obfuscated JavaScript files that execute via postinstall hooks. The toolchain steals credentials, files including Solana wallets and environment configurations, and exfiltrates data to Vercel-hosted C2 infrastructure. On Linux systems, it establishes persistence through SSH backdoor installation. The infrastructure overlaps with documented OtterCookie operations and connects to broader DPRK campaigns including Contagious Interview and Contagious Trader, demonstrating continued evolution in North Korean software supply chain attacks targeting developers.

Pulse ID: 69dd05a672cf30caf5d26e06
Pulse Link: https://otx.alienvault.com/pulse/69dd05a672cf30caf5d26e06
Pulse Author: AlienVault
Created: 2026-04-13 15:03:02

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#BackDoor #CyberSecurity #DPRK #InfoSec #InfoStealer #Java #JavaScript #Korea #Linux #NPM #NorthKorea #OTX #OpenThreatExchange #RAT #RCE #SSH #SupplyChain #bot #developers #AlienVault