216.73.216.67

Tracking an OtterCookie Infostealer Campaign Across npm

· Published 13/04/2026 17:03 · Modified 13/04/2026 15:17

Export JSON

Essential information

Published
13/04/2026 17:03
Modified
13/04/2026 15:17
Source / Author
AlienVault
Confidence
100/100
Report type(s)
threat-report
Labels / Tags
beavertail contagious interview credential theft infostealer invisibleferret javascript obfuscation koalemos north korea npm ottercookie ssh backdoor supply-chain vercel c2
Tags
2026-04-13 beavertail contagious interview credential-theft infostealer invisibleferret javascript obfuscation koalemos north korea npm ottercookie ssh backdoor supply-chain vercel c2
Related entities
9 indicators, 9 observables, 1 intrusion sets (apt), 4 malware, 1 others

Description

Between April 6-9, 2026, multiple obfuscated malicious packages were identified as variants of the attributed to North Korean threat actors. The campaign employs a two-layer distribution strategy where benign wrapper packages clone legitimate libraries like big.js while pulling malicious dependencies containing the actual payload. Five malicious packages were identified, each containing obfuscated JavaScript files that execute via postinstall hooks. The toolchain steals credentials, files including Solana wallets and environment configurations, and exfiltrates data to Vercel-hosted C2 infrastructure. On Linux systems, it establishes persistence through installation. The infrastructure overlaps with documented operations and connects to broader DPRK campaigns including and Contagious Trader, demonstrating continued evolution in North Korean software supply chain attacks targeting developers.

External references