Threats Tagged 'ssh backdoor'

On April 10, 2026, a malicious npm package named sleek-pretty@1.0.0 was published, targeting developers running automated trading bots on Polymarket, a prediction market platform with $477 million in open interest. The package executes four attack chains upon import: system fingerprinting, SSH backdoor installation on Linux hosts, filesystem exfiltration, and targeted theft of Polymarket CLOB API credentials and Ethereum/Polygon wallet private keys. The payload runs at require() time without install hooks and specifically hunts SDK source files like createClobClient.ts and clob.ts. An SSH public key is written to authorized_keys for persistent access. The attacker can drain USDC balances directly using stolen L1 private keys. Attribution points to DPRK's Famous Chollima (Lazarus Group) based on TTPs matching the TraderTraitor campaign and publisher email correlation with known DPRK infrastructure.

Between April 6-9, 2026, multiple obfuscated malicious npm packages were identified as variants of the OtterCookie infostealer attributed to North Korean threat actors. The campaign employs a two-layer distribution strategy where benign wrapper packages clone legitimate libraries like big.js while pulling malicious dependencies containing the actual payload. Five malicious packages were identified, each containing obfuscated JavaScript files that execute via postinstall hooks. The toolchain steals credentials, files including Solana wallets and environment configurations, and exfiltrates data to Vercel-hosted C2 infrastructure. On Linux systems, it establishes persistence through SSH backdoor installation. The infrastructure overlaps with documented OtterCookie operations and connects to broader DPRK campaigns including Contagious Interview and Contagious Trader, demonstrating continued evolution in North Korean software supply chain attacks targeting developers.