A sophisticated supply chain campaign attributed to North Korean state-sponsored threat actors has expanded with the discovery of 197 malicious packages on the npm registry. According to cybersecurity firm Phylum, this activity is part of the ongoing “Contagious Interview” campaign, which now distributes a new information-stealing malware named OtterCookie.

The threat actors published the malicious packages under various author names, frequently using typosquatted names to impersonate legitimate libraries related to mobile development frameworks like react-native, ionic, and capacitor. This tactic targets developers who might inadvertently install the compromised packages into their projects.

Campaign Execution and Malware Delivery

The attack is initiated when a developer installs one of the malicious npm packages. Each package contains a post-install script (`postinstall.js`) that executes automatically after installation. This script first checks the user’s operating system. If it detects a Linux or macOS environment, it proceeds to download and execute a shell script from a remote server.

This secondary shell script is responsible for retrieving the final payload, the OtterCookie malware. The malware is then executed on the victim’s machine, beginning its data collection phase. This multi-stage delivery process is a known technique used to obscure the final malicious intent from initial static analysis.

OtterCookie: A Node.js Information Stealer

OtterCookie is a new malware strain written in Node.js. Its primary function is to operate as an information stealer. Upon execution, it gathers a wide range of system information, including the hostname, username, network configuration details, and a list of currently running processes.

Furthermore, OtterCookie specifically targets web browser data. It is designed to locate and steal cookies and login credentials from several popular browsers, including Google Chrome, Microsoft Edge, Brave, Opera, and Mozilla Firefox. After collecting the sensitive data, the malware exfiltrates it to a command-and-control (C2) server operated by the attackers. The malware also includes an anti-analysis feature, checking if it is running within a virtual machine or sandboxed environment and terminating itself if such an environment is detected.

Source: https://securityaffairs.com/185170/apt/contagious-interview-campaign-expands-with-197-npm-ppackages-spreading-new-ottercookie-malware.html