Contagious Interview Campaign Expands with 197 npm Packages Spreading New OtterCookie Malware
Summary:
Researchers from Socket linked a series of fake job interviews and test assignments targeting developers to a state-sponsored North Korean threat actor. After socially engineering the developer, the adversary will convince the developer to install a malicious npm package (often a typosquatted clone like tailwind-magic) that is a dependency for a "test project" or utility. This test project is intentionally wired to import one of the malicious npm packages as a dependency. When the developer sets up the project and runs npm install, the malicious package is downloaded, and the initial execution flow begins. The threat actors populate their GitHub accounts with polished but malicious or deceptive repositories. This gives the "recruiter" a plausible portfolio to showcase, making the request seem legitimate and increasing the developer's confidence that they are working on a real project.
The campaign is one of the most prolific exploiting npm, adding at least 197 malicious packages and over 31,000 downloads in a recent wave. The final payload delivered is a recent variant of the OtterCookie malware, which functions as a sophisticated infostealer and Remote Access Trojan (RAT) tuned for developer systems.
Security Officer Comments:
OtterCookie is used for high-value data exfiltration and financial theft. The tool has several features:
Indicators of Compromise (IOCs) are included in Socket’s report.
Researchers from Socket linked a series of fake job interviews and test assignments targeting developers to a state-sponsored North Korean threat actor. After socially engineering the developer, the adversary will convince the developer to install a malicious npm package (often a typosquatted clone like tailwind-magic) that is a dependency for a "test project" or utility. This test project is intentionally wired to import one of the malicious npm packages as a dependency. When the developer sets up the project and runs npm install, the malicious package is downloaded, and the initial execution flow begins. The threat actors populate their GitHub accounts with polished but malicious or deceptive repositories. This gives the "recruiter" a plausible portfolio to showcase, making the request seem legitimate and increasing the developer's confidence that they are working on a real project.
The campaign is one of the most prolific exploiting npm, adding at least 197 malicious packages and over 31,000 downloads in a recent wave. The final payload delivered is a recent variant of the OtterCookie malware, which functions as a sophisticated infostealer and Remote Access Trojan (RAT) tuned for developer systems.
Security Officer Comments:
OtterCookie is used for high-value data exfiltration and financial theft. The tool has several features:
- Continuous clipboard theft and global keylogging.
- Multi-monitor screenshot capture.
- Recursive filesystem scanning to harvest sensitive information, including:
- Credentials, seed phrases, and wallet data.
- Sensitive documents and configuration files (*.env, *.json, *.ts, *.js).
- Collection of browser profile data and popular crypto-wallet browser extension data from Chrome and Brave on Windows, macOS, and Linux.
- Remote System Control: The malware establishes a long-lived Command and Control (C2) channel, providing the threat actors with an interactive remote shell to perform remote tasking on the compromised host.
Indicators of Compromise (IOCs) are included in Socket’s report.
- Verify Recruiters and Companies: Be highly suspicious of unsolicited job offers, especially those in high-value sectors like Web3/Crypto. Independently verify the company, the recruiter's identity, and their LinkedIn profile outside of the initial contact method.
- Do Not Use Personal Devices for Unverified Code: Never clone or execute unvetted code, especially a "test project" on a machine that contains sensitive production keys, tokens, or live cryptocurrency wallets. Use a dedicated virtual machine (VM) or containerized environment for all external code assessments.
- Scrutinize Installation Instructions: Attackers embed malware delivery within seemingly routine commands like npm install. Be wary of projects that instruct you to install non-standard or custom utility packages that are critical for running a basic project.