A major security threat has emerged targeting software developers worldwide. North Korean state-sponsored threat actors, operating under the “Contagious Interview” campaign, are systematically spreading malicious packages across npm, GitHub, and Vercel infrastructure to deliver OtterCookie malware.

This sophisticated multi-stage operation demonstrates how threat actors have adapted their tools to target modern JavaScript and Web3 development workflows.

Since October 10, 2025, researchers have uncovered at least 197 new malicious npm packages designed to trick developers into installing compromised code, with over 31,000 additional downloads recorded during this wave alone.

The attack chain works through a carefully coordinated supply chain approach. Threat actors create fake developer portfolios on GitHub, publish typosquatted packages on npm that impersonate legitimate libraries, and use Vercel hosting to stage the malware payloads.

When developers unknowingly install these malicious packages, a postinstall script automatically executes and reaches out to attacker-controlled endpoints to fetch and run the latest OtterCookie variant.

This seamless integration into standard development workflows makes the attack particularly dangerous, as it bypasses traditional security awareness since developers expect npm packages to execute code during installation.

Socket.dev security analysts noted and identified that the infrastructure behind this campaign reveals a well-orchestrated operation.

The researchers traced malicious packages like “tailwind-magic,” which impersonates the legitimate “tailwind-merge” library, to a threat actor-controlled GitHub account named “stardev0914” and a Vercel staging endpoint called “tetrismic.vercel.app.”

This account contained at least 18 repositories designed to serve as both delivery vehicles and convincing lures, with repositories themed around cryptocurrency projects including fake DEX front-ends and token sites.

At least five core malicious packages, including “node-tailwind,” “tailwind-node,” and “react-modal-select,” route through this infrastructure.

The malware architecture itself reflects sophisticated development. OtterCookie operates as a combined infostealer and remote access trojan with cross-platform capabilities spanning Windows, macOS, and Linux.

Once executed within a Node.js process, the malware performs initial environment checks to detect virtual machines and sandboxes, fingerprints the infected host, and then establishes bidirectional communication with command and control servers.

This detection-evasion approach ensures the malware only fully activates on legitimate developer machines rather than analyst environments where security researchers typically operate.

Infection and Persistence Mechanisms

The infection mechanism demonstrates meticulous engineering. The malicious npm packages use a postinstall script that executes when developers run npm install.

This script calls the threat actor endpoint at https://tetrismic.vercel.app/api/ipcheck using axios, which returns JavaScript code embedded in a JSON field named “model.”

The package then extracts this field and executes it with eval inside the victim’s Node.js process, granting the attackers full Node.js privileges and allowing arbitrary code execution.

The staging server continuously updates its main.js payload, enabling threat actors to rotate malware variants across multiple packages and customize responses per target.

Once deployed, OtterCookie establishes persistence through multiple mechanisms. On Windows systems, the malware creates scheduled tasks named “NodeUpdate” that run at logon with highest privileges, and adds registry entries under HKCU\Run\NodeHelper.

The actual payload spawns three asynchronous worker processes using child_process.spawn, each running as a detached Node.js process with stdio redirected to ignore and the windowsHide flag set true.

These processes then unref themselves, allowing them to continue running in the background after the initial loader exits.

The malware simultaneously performs system-wide keylogging using the GlobalKeyboardListener module, captures screenshots from all connected monitors every 5 seconds, exfiltrates clipboard contents, and recursively scans the filesystem for files matching patterns like “.env,” “metamask,” “phantom,” and “seed” to harvest cryptocurrency wallet data and credentials.

The comprehensive data harvesting capabilities extend to browser profiles. The malware specifically targets Chrome and Brave browsers on all three operating systems, accessing stored login credentials by querying the “Login Data” SQLite database found in each browser’s profile directory.

Additionally, it identifies and extracts data from at least 42 different cryptocurrency wallet browser extensions, including MetaMask, Phantom, Keplr, and dozens of others commonly used by Web3 developers.

All collected data flows through the command and control infrastructure at IP address 144.172.104.117, which handles both data collection and tasking, allowing threat actors to issue remote commands and maintain persistent interactive shell access.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.

The post North Korean Hackers Exploiting npm, GitHub, and Vercel to Deliver OtterCookie Malware appeared first on Cyber Security News.

During late October 2025, a new malware campaign dubbed ShadowV2 emerged, coinciding with a global AWS disruption.

This sophisticated threat actively exploits vulnerabilities in IoT devices to assemble a botnet for distributed denial-of-service (DDoS) attacks.

The malware’s rapid deployment indicates a coordinated effort to harness compromised hardware for large-scale disruptive activities.

The infection spread swiftly across seven industries, including technology, education, and retail, impacting organizations in the United States, Europe, and Asia.

Experts believe this surge was likely a “test run” designed to evaluate the botnet’s potential for causing widespread service interruptions.

The widespread nature of the campaign highlights the persistent risks associated with unsecured connected devices in enterprise environments.

Fortinet security analysts identified the malware leveraging older, unpatched security flaws in routers and DVRs from vendors like D-Link and TP-Link.

By targeting these known weaknesses, the attackers successfully compromised numerous devices that organizations had failed to update with the latest firmware patches.

The attack chain initiates when a vulnerable device is forced to download a script named binary.sh from a remote server at 81.88.18.108.

As seen in the above figure, this script automatically detects the host’s architecture—whether ARM, MIPS, or x86—and retrieves the corresponding malware payload to ensure successful execution.

Technical Analysis of ShadowV2

ShadowV2 mirrors the architecture of the “LZRD” Mirai variant but employs distinct obfuscation techniques. Upon launch, it utilizes a simple XOR cipher with the key 0x22 to decrypt its configuration.

Vendor	CVE ID	Vulnerability Details
DDWRT	CVE-2009-2765	HTTP Daemon Arbitrary Command Execution
D-Link	CVE-2020-25506	ShareCenter CGI Code Execution
D-Link	CVE-2022-37055	Buffer Overflow in HNAP Main
D-Link	CVE-2024-10914	Account Manager Command Injection
D-Link	CVE-2024-10915	Account Manager Command Injection
DigiEver	CVE-2023-52163	Time Setup CGI Command Injection
TBK	CVE-2024-3721	DVR Command Injection
TP-Link	CVE-2024-53375	Archer Devices Command Injection

This hidden data includes file paths, such as /proc/, and deceptive User-Agent strings intended to mask malicious traffic as legitimate user activity.

Once active, the malware establishes contact with its command-and-control server to receive attack orders.

It supports multiple DDoS vectors, including UDP floods and TCP SYN floods, mapping these behaviors to specific internal function IDs for rapid deployment against targets.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.

The post Hackers Actively Exploiting IoT Vulnerabilities to Deploy New ShadowV2 Malware appeared first on Cyber Security News.

A new threat has emerged in the Solana trading community. Security researchers have discovered a malicious Chrome extension named Crypto Copilot that appears to offer convenient trading features but secretly siphons cryptocurrency from users during transactions.

Published on the Chrome Web Store on June 18, 2024, the extension has managed to remain available while quietly stealing funds from hundreds of traders who believed they were using a legitimate tool.

The extension positions itself as a seamless solution for Solana traders looking to execute quick swaps directly from the X social media platform.

It connects to popular wallets like Phantom and Solflare, displays real-time token data from DexScreener, and routes transactions through Raydium, one of the largest decentralized exchanges on Solana.

The marketing materials promise speed, convenience, and one-click trading without mentioning any hidden costs or extra transactions.

Socket.dev security analysts identified the malicious behavior embedded within the extension’s code structure. Behind the attractive interface lies a sophisticated fee-stealing mechanism that operates without user knowledge.

Every time a user performs a swap, the extension injects an undisclosed transfer that routes a minimum of 0.0013 SOL or 0.05% of the total trade amount to an attacker-controlled wallet address: Bjeida13AjgPaUEU9xrh1iQMwxZC7QDdvSfg730xQff7.

Attack Mechanism

The attack works by manipulating transaction construction at the blockchain level. When users initiate a swap, the extension first builds the legitimate Raydium swap instruction.

Then it silently appends a second instruction containing a SystemProgram.transfer command that moves SOL from the user’s wallet directly to the attacker’s address.

The user interface displays only the swap details, creating a false sense of legitimacy. Most wallet confirmation screens show a summary of transactions without highlighting individual instructions, so users sign what appears to be a single transaction while both instructions execute together on-chain.

Socket researchers also discovered additional malicious functionality beyond fee theft. The extension exfiltrates users’ connected wallet public keys to a backend server at crypto[.]copilot-dashboard[.]vercel[.]app/api/users, creating privacy violations.

Furthermore, embedded Helius RPC API credentials expose sensitive infrastructure information, compounding the security risks.

The malicious code resides within assets/popup.js file, wrapped in heavy obfuscation to evade detection.

The Chrome Web Store listing has remained unchanged despite these discoveries, with no warning to potential users about the hidden charges or data collection occurring in the background.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.

The post Malicious Chrome Extension Silently Steal and Injects Hidden SOL Fees Into Solana Swaps appeared first on Cyber Security News.