Threats Tagged 'javascript obfuscation'

Between April 6-9, 2026, multiple obfuscated malicious npm packages were identified as variants of the OtterCookie infostealer attributed to North Korean threat actors. The campaign employs a two-layer distribution strategy where benign wrapper packages clone legitimate libraries like big.js while pulling malicious dependencies containing the actual payload. Five malicious packages were identified, each containing obfuscated JavaScript files that execute via postinstall hooks. The toolchain steals credentials, files including Solana wallets and environment configurations, and exfiltrates data to Vercel-hosted C2 infrastructure. On Linux systems, it establishes persistence through SSH backdoor installation. The infrastructure overlaps with documented OtterCookie operations and connects to broader DPRK campaigns including Contagious Interview and Contagious Trader, demonstrating continued evolution in North Korean software supply chain attacks targeting developers.

A malicious campaign is targeting indie game platforms Itch.io and Patreon by posting fake update links in comments, which lead to downloads of LummaStealer malware. This malware uses advanced anti-analysis techniques to evade detection, including checks for virtual machines, specific usernames, and malware analysis processes. The payload is delivered via a nexe-compiled JavaScript file that drops and loads a DLL variant of LummaStealer. Despite efforts to remove malicious accounts, attackers continuously create new ones, indicating an ongoing and persistent threat. The campaign primarily targets users seeking game updates, exploiting trust in indie game communities. No known exploits in the wild have been reported yet, but the malware’s stealth and persistence pose a medium-level risk. European organizations involved in gaming, digital content creation, or using these platforms could be impacted, especially those with less mature security controls. Mitigation requires targeted detection of fake update links, monitoring of platform comments, and enhanced endpoint defenses against DLL injection and obfuscated JavaScript. Countries with active indie game development and strong Patreon/Itch.

MediumMalwareGermanyFrancePoland+4#indie games#patreon#fake updates

A VS Code extension for Ethereum smart contract development, ETHcode, was compromised through a GitHub pull request. The attacker, using a newly created account, submitted a PR that introduced a malicious dependency and code to execute it. The compromise was subtle, involving only two lines of code changes among thousands. The malicious code downloads and runs a batch script from a public file-hosting service, potentially to steal crypto assets or compromise Ethereum contracts. The extension, with nearly 6,000 installs, was removed from the marketplace after discovery. This incident highlights the importance of carefully reviewing contributions, especially from new accounts, and scrutinizing package dependencies in software development workflows.

MediumCampaignGermanyUnited KingdomFrance+3#github#ethcode#keythereum-utils