North Korea’s “OtterCookie” Hides Inside Benign npm Wrappers

A new investigative report from Panther has identified a dangerous cluster of malicious packages lurking within the npm registry. Between April 6 and April 9, 2026, Panther’s npm scanner flagged several obfuscated packages that were eventually unmasked as variants of OtterCookie, a potent infostealer and backdoor toolchain attributed to North Korean state-sponsored threat actors.

The campaign utilizes a deceptive “two-layer distribution strategy” designed to bypass manual code reviews and automated security filters. Attackers publish a “benign wrapper package” that clones a legitimate, widely used library—in this case, the big.js library—to appear harmless to developers.

According to the report, “The wrapper’s source code is entirely benign; the only modification is the addition of a payload package (e.g., bjs-lint-builder) as a dependency”. When a victim runs a standard npm install, the payload is automatically resolved and installed, pulling the malicious code one dependency layer deeper into the environment.

The Panther research team highlighted a significant technical advancement in the obfuscation techniques used by these actors. The malware utilizes a custom base91-like string encoding scheme where each function scope employs a different alphabet.

The report notes that “The custom base91 encoding with per-function alphabet rotation represents a notable advancement over the obfuscator.io techniques used in earlier campaigns like BeaverTail and Koalemos”. This method effectively defeats static string extraction, forcing analysts to manually identify the correct decoder context for every individual function scope.

Once active, the OtterCookie payload runs two parallel attack chains:

• Targeted Pass: It searches the working directory for high-value secrets, such as Solana wallet keypairs, Rust configuration, and environment files.
• Comprehensive Scan: It fetches dynamic configurations from a Vercel-hosted Command and Control (C2) server to recursively walk the entire filesystem for specific file extensions.

The ultimate goal of the campaign is permanent access. On Linux systems, the malware automatically installs an SSH public key backdoor by appending a fetched key to the ~/.ssh/authorized_keys file and even attempting to open port 22 through the system firewall.

Panther has attributed this campaign with “high confidence” to the North Korean threat group DPRK / FAMOUS CHOLLIMA. The investigation revealed direct infrastructure and tradecraft overlaps with previous campaigns known as “Contagious Interview” (or “graphalgo”) and “Contagious Trader”.

The report highlights shared operational failures as a key link, noting that “kmsec notes that npm-builders v1.0.8 was published unobfuscated, and we independently found the same mistake in bjs-lint-builders v1.0.4. The two plaintext samples are functionally identical”.

Developers are urged to audit their dependency chains for unexpected “lint” or “builder” packages that may be hiding just one layer out of sight.