Tracking an OtterCookie Infostealer Campaign Across npm
Between April 6-9, 2026, multiple malicious npm packages were identified as variants of the OtterCookie infostealer linked to North Korean threat actors. These packages use obfuscated JavaScript executed via postinstall hooks to steal credentials, files including Solana wallets, and environment configurations. The malware exfiltrates data to Vercel-hosted command and control infrastructure and establishes persistence on Linux systems through an SSH backdoor. The campaign employs a two-layer distribution strategy with benign wrapper packages cloning legitimate libraries to hide the malicious payload. This activity is connected to broader DPRK campaigns and represents an evolution in North Korean software supply chain attacks targeting developers. No patches or official remediation guidance are provided in the available data. No known exploits in the wild have been reported.
AI Analysis
Technical Summary
This threat involves a supply chain attack campaign targeting the npm ecosystem with malicious packages attributed to North Korean actors. The attackers use benign wrapper packages that clone legitimate libraries but pull in malicious dependencies containing obfuscated JavaScript payloads. These payloads execute via postinstall hooks to steal sensitive information such as credentials, Solana wallets, and environment configurations. Data exfiltration is conducted to Vercel-hosted command and control infrastructure. On Linux hosts, the malware establishes persistence by installing an SSH backdoor. The infrastructure and tactics overlap with known OtterCookie operations and other DPRK campaigns like Contagious Interview and Contagious Trader, indicating ongoing evolution in threat actor techniques within software supply chains.
Potential Impact
The campaign results in credential theft, exfiltration of sensitive files including cryptocurrency wallets and environment configurations, and persistent backdoor access on Linux systems. This compromises developer environments and potentially broader organizational infrastructure relying on affected npm packages. The supply chain nature of the attack increases risk as malicious code is distributed through trusted package repositories. No evidence of exploitation beyond the identified packages is currently reported.
Mitigation Recommendations
No official patches or remediation guidance are provided in the available information. Users and organizations should audit dependencies for suspicious or obfuscated packages, especially those with postinstall scripts. Removing identified malicious packages and avoiding installation of untrusted or unknown npm packages is recommended. Monitoring for unexpected SSH backdoors on Linux systems may help detect persistence. Since this is a supply chain attack, vetting package sources and using tools to detect malicious code in dependencies is advisable. Patch status is not yet confirmed — check vendor advisories or npm security updates for current remediation guidance.
Indicators of Compromise
- ip: 144.172.110.228
- ip: 107.189.22.20
- ip: 144.172.110.132
- ip: 144.172.110.96
- ip: 144.172.116.22
- ip: 144.172.93.169
- ip: 144.172.93.253
- ip: 144.172.99.248
- ip: 144.172.99.81
Tracking an OtterCookie Infostealer Campaign Across npm
Description
Between April 6-9, 2026, multiple malicious npm packages were identified as variants of the OtterCookie infostealer linked to North Korean threat actors. These packages use obfuscated JavaScript executed via postinstall hooks to steal credentials, files including Solana wallets, and environment configurations. The malware exfiltrates data to Vercel-hosted command and control infrastructure and establishes persistence on Linux systems through an SSH backdoor. The campaign employs a two-layer distribution strategy with benign wrapper packages cloning legitimate libraries to hide the malicious payload. This activity is connected to broader DPRK campaigns and represents an evolution in North Korean software supply chain attacks targeting developers. No patches or official remediation guidance are provided in the available data. No known exploits in the wild have been reported.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
This threat involves a supply chain attack campaign targeting the npm ecosystem with malicious packages attributed to North Korean actors. The attackers use benign wrapper packages that clone legitimate libraries but pull in malicious dependencies containing obfuscated JavaScript payloads. These payloads execute via postinstall hooks to steal sensitive information such as credentials, Solana wallets, and environment configurations. Data exfiltration is conducted to Vercel-hosted command and control infrastructure. On Linux hosts, the malware establishes persistence by installing an SSH backdoor. The infrastructure and tactics overlap with known OtterCookie operations and other DPRK campaigns like Contagious Interview and Contagious Trader, indicating ongoing evolution in threat actor techniques within software supply chains.
Potential Impact
The campaign results in credential theft, exfiltration of sensitive files including cryptocurrency wallets and environment configurations, and persistent backdoor access on Linux systems. This compromises developer environments and potentially broader organizational infrastructure relying on affected npm packages. The supply chain nature of the attack increases risk as malicious code is distributed through trusted package repositories. No evidence of exploitation beyond the identified packages is currently reported.
Mitigation Recommendations
No official patches or remediation guidance are provided in the available information. Users and organizations should audit dependencies for suspicious or obfuscated packages, especially those with postinstall scripts. Removing identified malicious packages and avoiding installation of untrusted or unknown npm packages is recommended. Monitoring for unexpected SSH backdoors on Linux systems may help detect persistence. Since this is a supply chain attack, vetting package sources and using tools to detect malicious code in dependencies is advisable. Patch status is not yet confirmed — check vendor advisories or npm security updates for current remediation guidance.
Technical Details
- Author
- AlienVault
- Tlp
- white
- References
- ["https://panther.com/blog/tracking-an-ottercookie-infostealer-campaign-across-npm"]
- Adversary
- FAMOUS CHOLLIMA
- Pulse Id
- 69dd05a672cf30caf5d26e06
- Threat Score
- null
Indicators of Compromise
Ip
| Value | Description | Copy |
|---|---|---|
ip144.172.110.228 | — | |
ip107.189.22.20 | — | |
ip144.172.110.132 | — | |
ip144.172.110.96 | — | |
ip144.172.116.22 | — | |
ip144.172.93.169 | — | |
ip144.172.93.253 | — | |
ip144.172.99.248 | — | |
ip144.172.99.81 | — |
Threat ID: 69dd0c6682d89c981f09ae9b
Added to database: 4/13/2026, 3:31:50 PM
Last enriched: 4/13/2026, 3:47:19 PM
Last updated: 4/14/2026, 8:14:48 AM
Views: 40
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.