Panther’s investigation uncovered obfuscated npm packages (April 6–9, 2026) that were variants of OtterCookie, an infostealer and backdoor attributed to North Korean state-sponsored actors. The campaign used a two-layer distribution—benign wrapper packages cloning big.js that pull a hidden payload dependency—and a custom base91-like per-function obfuscation to evade detection and static analysis. #OtterCookie #FAMOUS_CHOLLIMA
Keypoints
- Panther’s npm scanner flagged obfuscated packages that were unmasked as OtterCookie variants.
- Attackers published benign wrapper packages that clone big.js and add a malicious payload as a dependency to bypass reviews.
- The malware uses a custom base91-like string encoding with per-function alphabet rotation to defeat static string extraction.
- OtterCookie runs two parallel chains: a targeted search for high-value secrets (e.g., Solana keypairs) and a Vercel-hosted C2-driven recursive filesystem scan.
- The campaign installs an SSH public-key backdoor on Linux, has ties to DPRK / FAMOUS CHOLLIMA, and shares infrastructure and tradecraft with prior Contagious campaigns.
Read More: https://securityonline.info/npm-malware-ottercookie-panther-report-dprk/