North Korean Hackers Deploy OtterCookie Malware via npm Packages

Overview

North Korean state-linked cyber operators have launched a sophisticated and large-scale supply-chain attack distributing the OtterCookie malware through malicious npm packages. These packages were uploaded under deceptive or typosquatted names to lure developers into installing them. Once installed, the packages' post-installation scripts triggered the download and execution of the OtterCookie payload. The operation targets developers, software organizations, and cryptocurrency holders, blending espionage and financial theft motives.

How the Incident Unfolded

The attackers created dozens of malicious npm packages that appeared to be legitimate JavaScript libraries, development utilities, or coding-test dependencies. Developers who installed these packages unwittingly executed a postinstall routine designed to silently pull the next-stage malware from an attacker-controlled server. This postinstall mechanism is a functional part of npm and therefore often overlooked during dependency reviews.

The initial loader was lightweight and designed for stealth. Instead of storing the full malicious payload inside the package, it reached out to external content delivery hosts to retrieve the full OtterCookie malware. This approach allowed attackers to continuously update the payload without modifying the npm package itself, enabling long-term persistence and evasion.

Impact and Exposure

The scale of exposure is significant due to the popularity of the npm ecosystem and the tendency of developers to trust publicly available packages. Compromised users face risks including data theft, credential exfiltration, remote command execution, and cryptocurrency wallet compromise. In enterprise environments, an infected developer workstation can become a stepping stone into build pipelines or production systems, greatly amplifying the blast radius.

OtterCookie is capable of keylogging, clipboard scraping, screenshot capture, environment enumeration, and extraction of browser-stored credentials. The malware also searches for wallet files and crypto-extension data, enabling attackers to steal funds directly or collect seed phrases for later use.

Response and Investigation

Security teams analyzing the campaign emphasize the adversary's strategic use of social engineering. In addition to publishing malicious packages, attackers engaged victims directly by posing as recruiters or hiring managers. Developers were instructed to clone repositories containing the malicious dependencies as part of coding tests. This bypassed organizational controls by shifting the point of infection to personal machines.

Forensic analysis on infected systems shows consistent patterns: a suspicious Node.js installation process triggering network calls to unknown domains, followed by the presence of new background processes collecting system and browser data. Organizations that traced lateral movement found that compromised developer credentials were later used to access repositories and cloud infrastructure.

Wider Industry Implications

This campaign highlights the fragility of open source ecosystems where trust is implicit and vetting is minimal. npm's flexibility, while beneficial for developers, creates opportunities for attackers to embed malicious automation into dependency workflows. The incident reinforces a rapidly growing pattern of supply-chain attacks where adversaries compromise developers instead of end users.

The broader implication is that organizations can no longer assume that a package’s presence in a public registry indicates safety. Continuous monitoring, reputation scoring, and dependency verification must become standard practice. In addition, the use of phone-based social engineering demonstrates that open source compromises are no longer purely technical threats but hybrid operations combining human and technical vectors.

Guidance for Security Teams

To mitigate risks from similar attacks, organizations should implement strict dependency management protocols. Reviewing package scripts, blocking unnecessary postinstall executions, and isolating package installations within containerized build environments significantly reduces exposure. Security teams should also monitor developer endpoints for suspicious Node.js processes, new background binaries, and unexpected outbound traffic following npm installs.

Incident response procedures should include rotating all credentials associated with a compromised developer machine, reviewing repository access logs for unusual behavior, and revalidating CI/CD secrets. Developers should be advised to avoid installing unknown packages and treat unsolicited coding tests or recruitment tasks with caution.

Indicators of Compromise

• npm packages containing postinstall scripts executing external network calls
• Unusual outbound HTTP or HTTPS connections immediately after running npm install
• New Node.js processes accessing browser profiles or wallet directories
• Clipboard monitoring activity or unauthorized screenshot files
• Unexpected remote shell sessions opened from developer endpoints
• Presence of staged payload files within temporary npm or OS directories
• Exfiltration of repository credentials, API keys, crypto wallets, or environment variables