Cross-Platform NPM Stealer, (Fri, May 22nd)
I found a Node.js stealer that looked pretty well obfuscated. The file was not running out-of-the-box because it was uploaded on VT as “extracted-decoded.js” (and reformated). The SHA256 is 049300aa5dd774d6c984779a0570f59610399c71864b5d5c2605906db46ddeb9[1]. It did not run properly in a sandbox so only a static analysis was performed.
AI Analysis
Technical Summary
This threat is a Node.js-based stealer malware with cross-platform capabilities targeting Windows (including WSL), macOS, and Linux. It is composed of three main modules: (1) a browser credential stealer supporting numerous Chromium-based browsers and wallet extensions, (2) a recursive file exfiltration scanner searching for sensitive files by extensive filename and extension patterns, and (3) a WebSocket reverse shell connecting to a DPRK OtterCookie C2 server at IP 216.126.225.243 over ports 8085, 8086, and 8087. The malware is obfuscated using typical obfuscation.io techniques, but the payloads are embedded in plaintext Base64 strings. Communications use the Axios NPM package, and a hardcoded HMAC key is used for encryption. The sample was analyzed statically due to sandbox execution failure. No patch or remediation guidance is available, and no known exploitation in the wild has been reported.
Potential Impact
The malware can steal browser credentials from a wide range of Chromium-based browsers and their wallet extensions, potentially compromising user accounts and cryptocurrency wallets. It can also exfiltrate sensitive files from the victim's filesystem based on a broad set of filename and extension patterns, risking exposure of confidential data such as keys, passwords, configurations, and documents. Additionally, it establishes a reverse shell allowing remote command execution by the attacker. This combination of data theft and remote access can lead to significant confidentiality and integrity breaches on affected systems.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Since this is a malware threat rather than a software vulnerability, remediation involves detection and removal of the malicious Node.js files and blocking network communications to the identified C2 IP address (216.126.225.243) on ports 8085, 8086, and 8087. Monitoring for suspicious Node.js processes and unusual outbound connections from development or user environments is recommended. No official fix or patch is available as this is malware rather than a vulnerability in a vendor product.
Cross-Platform NPM Stealer, (Fri, May 22nd)
Description
I found a Node.js stealer that looked pretty well obfuscated. The file was not running out-of-the-box because it was uploaded on VT as “extracted-decoded.js” (and reformated). The SHA256 is 049300aa5dd774d6c984779a0570f59610399c71864b5d5c2605906db46ddeb9[1]. It did not run properly in a sandbox so only a static analysis was performed.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
This threat is a Node.js-based stealer malware with cross-platform capabilities targeting Windows (including WSL), macOS, and Linux. It is composed of three main modules: (1) a browser credential stealer supporting numerous Chromium-based browsers and wallet extensions, (2) a recursive file exfiltration scanner searching for sensitive files by extensive filename and extension patterns, and (3) a WebSocket reverse shell connecting to a DPRK OtterCookie C2 server at IP 216.126.225.243 over ports 8085, 8086, and 8087. The malware is obfuscated using typical obfuscation.io techniques, but the payloads are embedded in plaintext Base64 strings. Communications use the Axios NPM package, and a hardcoded HMAC key is used for encryption. The sample was analyzed statically due to sandbox execution failure. No patch or remediation guidance is available, and no known exploitation in the wild has been reported.
Potential Impact
The malware can steal browser credentials from a wide range of Chromium-based browsers and their wallet extensions, potentially compromising user accounts and cryptocurrency wallets. It can also exfiltrate sensitive files from the victim's filesystem based on a broad set of filename and extension patterns, risking exposure of confidential data such as keys, passwords, configurations, and documents. Additionally, it establishes a reverse shell allowing remote command execution by the attacker. This combination of data theft and remote access can lead to significant confidentiality and integrity breaches on affected systems.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Since this is a malware threat rather than a software vulnerability, remediation involves detection and removal of the malicious Node.js files and blocking network communications to the identified C2 IP address (216.126.225.243) on ports 8085, 8086, and 8087. Monitoring for suspicious Node.js processes and unusual outbound connections from development or user environments is recommended. No official fix or patch is available as this is malware rather than a vulnerability in a vendor product.
Technical Details
- Article Source
- {"url":"https://isc.sans.edu/diary/rss/33006","fetched":true,"fetchedAt":"2026-05-22T15:39:40.769Z","wordCount":728}
Threat ID: 6a1078c3e1370fbb4813560c
Added to database: 5/22/2026, 3:39:47 PM
Last enriched: 5/22/2026, 3:39:56 PM
Last updated: 5/23/2026, 8:15:05 AM
Views: 6
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.