North Korean threat actors are actively distributing malicious npm packages to deliver a variant of OtterCookie malware, targeting users through fake job interview platforms. This campaign demonstrates advanced evasion techniques and extensive use of JavaScript and crypto-focused workflows. #NorthKorea #OtterCookie
Keypoints
- North Korean threat actors have added 197 malicious npm packages since last month, with over 31,000 downloads.
- The malware evades detection, profiles the system, and establishes a C2 channel for remote access and data theft.
- Packages connect to a hard-coded Vercel URL to fetch OtterCookie payloads from a GitHub repository controlled by the attackers.
- The campaign includes fake assessment websites that deliver GolangGhost malware via staged job interview scams.
- Malware can steal system info, browser credentials, and cryptocurrency data while simulating legitimate prompts to deceive users.
Read More: https://thehackernews.com/2025/11/north-korean-hackers-deploy-197-npm.html