Tracking an OtterCookie Infostealer Campaign Across npm
Contents
Introduction
Between April 6 and April 9, 2026, our npm scanner identified a cluster of obfuscated malicious packages published by multiple throwaway accounts. Our analysis revealed these packages to be variants of the OtterCookie infostealer, a credential theft and backdoor toolchain attributed to North Korean threat actors.
The packages use a two-layer distribution strategy: a benign wrapper packages that clones legitimate libraries,big.js
in our case, which pulls in a malicious dependency containing the actual payload, ensuring the malicious code is one dependency layer deeper. To date we have identified 5 malicious packages.
Each payload package contains two obfuscated JavaScript files: a loader (test.js
) and a secondary-stage stealer/backdoor (index.js
). On install, the postinstall
hook triggers the loader, which imports and executes the main exfiltration and persistence logic. The malware steals files and credentials and exfiltrates them to attacker-controlled Vercel-hosted C2. As the last step, it installs an SSH public key backdoor on Linux systems.
This campaign overlaps …
Between April 6 and April 9, 2026, our npm scanner identified a cluster of obfuscated malicious packages published by multiple throwaway accounts. Our analysis revealed these packages to be variants of the OtterCookie infostealer, a credential theft and backdoor toolchain attributed to North Korean threat actors.
The packages use a two-layer distribution strategy: a benign wrapper packages that clones legitimate libraries,big.js
in our case, which pulls in a malicious dependency containing the actual payload, ensuring the malicious code is one dependency layer deeper. To date we have identified 5 malicious packages.
Each payload package contains two obfuscated JavaScript files: a loader (test.js
) and a secondary-stage stealer/backdoor (index.js
). On install, the postinstall
hook triggers the loader, which imports and executes the main exfiltration and persistence logic. The malware steals files and credentials and exfiltrates them to attacker-controlled Vercel-hosted C2. As the last step, it installs an SSH public key backdoor on Linux systems.
This campaign overlaps …
IoC
http://144.172.99.248
http://107.189.22.20
http://cloudflaresecurity.vercel.app
http://144.172.110.228
http://cloudflarefirewall.vercel.app
http://144.172.99.81
http://144.172.93.169
http://cloudflarefirewall.vercel.app/api/v1
http://144.172.116.22
http://cloudflareinsights.vercel.app
http://144.172.110.132
http://cloudflareinsights.vercel.app/api/v1
http://144.172.93.253
http://144.172.110.96
144.172.110.228
144.172.93.253
144.172.110.96
144.172.110.132
144.172.93.169
144.172.116.22
144.172.99.81
144.172.99.248
107.189.22.20
[email protected]
[email protected]
[email protected]
[email protected]
http://107.189.22.20
http://cloudflaresecurity.vercel.app
http://144.172.110.228
http://cloudflarefirewall.vercel.app
http://144.172.99.81
http://144.172.93.169
http://cloudflarefirewall.vercel.app/api/v1
http://144.172.116.22
http://cloudflareinsights.vercel.app
http://144.172.110.132
http://cloudflareinsights.vercel.app/api/v1
http://144.172.93.253
http://144.172.110.96
144.172.110.228
144.172.93.253
144.172.110.96
144.172.110.132
144.172.93.169
144.172.116.22
144.172.99.81
144.172.99.248
107.189.22.20
[email protected]
[email protected]
[email protected]
[email protected]