OtterCookie Expands Targeting to AI Coding Tools
Contents
On March 20, 2026, an npm account operating under the username gemini-check
published a package titled gemini-ai-checker
, presenting itself as a utility to verify Google Gemini AI tokens. Interestingly, the package README displayed wording copied from the legitimate package chai-await-async, a JavaScript assertion library with no obvious relationship to Gemini. Code analysis revealed the package contacts a Vercel-hosted staging endpoint, server-check-genimi.vercel[.]app
to retrieve and execute a JavaScript payload.
The account continues to host two malicious packages sharing the same infrastructure: express-flowlimit
and chai-extensions-extras
, which have been downloaded more than 500 times combined as of publication.
De-obfuscation of the downloaded code showed a number of similarities to OtterCookie, a JavaScript backdoor attributed to the Contagious Interview campaign linked to DPRK threat activity. The malware behavior more closely aligns with the version recently covered by Microsoft in March, which has been assessed to be active since October 2025. The sample also contained functionality not previously reported: specific …
published a package titled gemini-ai-checker
, presenting itself as a utility to verify Google Gemini AI tokens. Interestingly, the package README displayed wording copied from the legitimate package chai-await-async, a JavaScript assertion library with no obvious relationship to Gemini. Code analysis revealed the package contacts a Vercel-hosted staging endpoint, server-check-genimi.vercel[.]app
to retrieve and execute a JavaScript payload.
The account continues to host two malicious packages sharing the same infrastructure: express-flowlimit
and chai-extensions-extras
, which have been downloaded more than 500 times combined as of publication.
De-obfuscation of the downloaded code showed a number of similarities to OtterCookie, a JavaScript backdoor attributed to the Contagious Interview campaign linked to DPRK threat activity. The malware behavior more closely aligns with the version recently covered by Microsoft in March, which has been assessed to be active since October 2025. The sample also contained functionality not previously reported: specific …
IoC
http://server-check-genimi.vercel.app
http://216.126.237.71
http://server-check-genimi.vercel.app/defy/v3
http://216.126.237.71:4891
216.126.237.71
d26da2d0f14d8a160f2f937a6081dae0c4b31bb4e5539187a56d658372f33b22
http://216.126.237.71
http://server-check-genimi.vercel.app/defy/v3
http://216.126.237.71:4891
216.126.237.71
d26da2d0f14d8a160f2f937a6081dae0c4b31bb4e5539187a56d658372f33b22