{
	"id": "66b0eb96-b0bc-4e77-a309-1401a3119392",
	"created_at": "2026-04-10T03:21:57.89977Z",
	"updated_at": "2026-04-10T13:11:43.074791Z",
	"deleted_at": null,
	"sha1_hash": "f94c815300796725fcc66f749381a529dbf9ee78",
	"title": "OtterCookie Expands Targeting to AI Coding Tools",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2172579,
	"plain_text": "OtterCookie Expands Targeting to AI Coding Tools\r\nPublished: 2026-04-04 · Archived: 2026-04-10 03:01:17 UTC\r\nOn March 20, 2026, an npm account operating under the username gemini-check published a package titled\r\ngemini-ai-checker , presenting itself as a utility to verify Google Gemini AI tokens. Interestingly, the package\r\nREADME displayed wording copied from the legitimate package chai-await-async, a JavaScript assertion library\r\nwith no obvious relationship to Gemini. Code analysis revealed the package contacts a Vercel-hosted staging\r\nendpoint, server-check-genimi.vercel[.]app to retrieve and execute a JavaScript payload.\r\nThe account continues to host two malicious packages sharing the same infrastructure: express-flowlimit and\r\nchai-extensions-extras , which have been downloaded more than 500 times combined as of publication.\r\nDe-obfuscation of the downloaded code showed a number of similarities to OtterCookie, a JavaScript backdoor\r\nattributed to the Contagious Interview campaign linked to DPRK threat activity. The malware behavior more\r\nclosely aligns with the version recently covered by Microsoft in March, which has been assessed to be active since\r\nOctober 2025. The sample also contained functionality not previously reported: specific targeting of tokens/keys\r\nrelated to AI coding tools like Cursor, Claude, Windsurf, PearAI, among others.\r\nPackage Discovery and Delivery\r\nDevelopers represent a consistent target for DPRK groups, specifically in the Contagious Interview campaign.\r\nThese actors understand dev workflows and attempt to add legitimacy to the malicious packages by using\r\nREADME docs, and dependency structures that would appear credible to someone needing to quickly install\r\nsoftware.\r\nhttps://cyberandramen.net/2026/04/04/ottercookie-expands-targeting-to-ai-coding-tools-analysis-of-a-trojanized-npm-campaign/\r\nPage 1 of 10\n\nFigure 1: Screenshot of the gemini-ai-checker package with mismatch documentation.\r\nThe gemini-ai-checker package listed four dependencies and contained 44 files across 271kB, larger than most\r\ntoken verification programs. The folder structure mirrors modern projects including SECURITY markdown files.\r\nhttps://cyberandramen.net/2026/04/04/ottercookie-expands-targeting-to-ai-coding-tools-analysis-of-a-trojanized-npm-campaign/\r\nPage 2 of 10\n\nFigure 2: Folder structure for malicious package\r\nBuried in lib/config.js is the C2 configuration, which includes the staging domain, authentication token, path,\r\nversion, and bearer token as variables. This method prevents the full URL from being identified in a string search,\r\nbut wouldn’t do much in the way of hiding if a defender were to simply look for ‘http://\u0026#8217; in the codebase.\r\nhttps://cyberandramen.net/2026/04/04/ottercookie-expands-targeting-to-ai-coding-tools-analysis-of-a-trojanized-npm-campaign/\r\nPage 3 of 10\n\nFigure 3: C2 configuration including separate endpoints and HTTP tokens.\r\nOn install, lib/caller.js assembles the full URL from the above components and sends an HTTP GET request\r\nto server-check-genimi.vercel[.]app/defy/v3 with the header bearrtoken: logo . The package retries the\r\nrequest up to five times. A successful 200 response logs the returned token value and exits. When a 404 is returned\r\ncontaining a token field in the response body, the value is passed to Function.constructor and executed with access\r\nto Node.js require, never touching disk. Using Function.constructor as opposed to eval was likely chosen to\r\nreduce static analysis tools looking for common dynamic execution calls.\r\nJust before April 1, gemini-ai-checker was removed, however the two packages mentioned in the opening are\r\nstill live. Both share the same Vercel infrastructure and delivery mechanism, and continue to accumulate\r\ndownloads, likely a mix of researchers and unwitting users.\r\nFigure 4: Two remaining packages on the gemini-check account\r\nhttps://cyberandramen.net/2026/04/04/ottercookie-expands-targeting-to-ai-coding-tools-analysis-of-a-trojanized-npm-campaign/\r\nPage 4 of 10\n\nPayload Analysis\r\nPrior to the package being taken down, the JavaScript backdoor was retrieved from the Vercel domain. The code\r\nemploys a heavy use of obfuscation as previously documented by Microsoft in their reporting: shuffled string\r\narray combined with encoded index lookups that conceal any meaningful strings or logic. Every function name,\r\nAPI call and string is resolved at runtime through a central decoder function. Before and after screenshots are\r\nprovided below.\r\nFigure 5: Snippet of the obfuscated JavaScript code\r\nFigure 6: De-obfuscated code snippet\r\nFull decoding reveals a four-module malware architecture. The malware’s developers decided to have the outer\r\npayload spawns four independent Node.js processes at execution, each containing its own encoded string table.\r\nThis behavior allows for two things: secondary payloads are not requested from the C2 server\r\n( 216.126.237[.]71 ), and there is no dependency on the servers availability for any secondary or tertiary stage\r\ndelivery.\r\nhttps://cyberandramen.net/2026/04/04/ottercookie-expands-targeting-to-ai-coding-tools-analysis-of-a-trojanized-npm-campaign/\r\nPage 5 of 10\n\nModule Role C2 Port\r\n0 Socket.IO RAT – remote control 216.126.237[.]71 4891\r\n1 Credential stealer 216.126.237[.]71 4896\r\n2 File exfil 216.126.237[.]71 4899\r\n3 Clipboard stealer 216.126.237[.]71 80\r\nModule 0 establishes a connection to the C2 server using socket.io, providing full remote access capability. The\r\nmalware masquerades its process title as vhost.ctl and includes a process ID lock to prevent concurrent executions.\r\nAs OtterCookie has been covered in depth, here are just a few of the options available to the operator: real-time\r\nscreen capture using screenshot-desktop and sharp, keyboard and mouse control, and much more.\r\nModule 1 targets browser credential databases and digital currency wallet storage across Chrome, Brave,\r\nMicrosoft Edge, and LT Browser on Windows, macOS, and Linux. For macOS systems, the login keychain is also\r\ntargeted. Over 25 wallets are enumerated including MetaMask, Phantom, Exodus, and Ronin with their local\r\ndatabase contents copied and uploaded to the C2 via multipart for POST requests.\r\nModule 2 performs a sweep of the victims home directory by looking for a specific set of extensions: .env, .pem,\r\n.key, .json, .csv, .doc, .pdf, and .xlsx. More specific targeting of directories is discussed later in this post.\r\nModule 3 polls the clipboard every 500 milliseconds. Content changes are debounced by the same time before\r\ntransmission to the C2 logging endpoint. A 3,000 millisecond startup delay is used to avoid detection in sandbox\r\nenvironments.\r\nOtterCookie Similarities\r\nWe alluded to it earlier, but the decoded payload shares consistencies with OtterCookie and was most recently\r\ndocumented by Microsoft just last month. One of the most direct points of comparison is the clipboard monitoring\r\nfunction. Module 3 includes code which structurally identical, using the same operating system detection and\r\ndebounce timing as the above report.\r\nhttps://cyberandramen.net/2026/04/04/ottercookie-expands-targeting-to-ai-coding-tools-analysis-of-a-trojanized-npm-campaign/\r\nPage 6 of 10\n\nFigure 7: Source code snippet of the clipboard module (Source: Microsoft)\r\nhttps://cyberandramen.net/2026/04/04/ottercookie-expands-targeting-to-ai-coding-tools-analysis-of-a-trojanized-npm-campaign/\r\nPage 7 of 10\n\nFigure 8: Snippet of the clipboard implementation from the malicious npm package\r\nIn total, the obfuscation pattern, malware architecture, socket.io communication and fingerprinting behavior are\r\nconsistent with a variant of the OtterCookie malware also reported by Cisco Talos. To avoid confusion, attribution\r\nto this activity will be generally cited as moderate-high confidence to an active DPRK group.\r\nThe actor used a compromised Hotmail account to sign up and upload the packages. No other pivots were found\r\nrelated to the email address.\r\nAI Coding Tools Under Attack\r\nIn addition to those mentioned above, module 2 (file exfiltration) targets .ssh, .aws, .bash_history, but also\r\nexplicitly enumerates directories associated with AI coding tools as a separate category, likely in search of API\r\nkeys, tokens, and conversation logs.\r\nThe identified directories include:\r\n.cursor – Cursor AI IDE\r\n.claude – Anthropic Claude Code\r\n.gemini – Gemini CLI\r\n.windsurf – Windsurf AI IDE\r\n.pearai – PearAI\r\n.eigent – Eigent AI\r\nThese directories are explicitly sought out by the code, indicating the operator seeks to exploit high-cost AI\r\nservices, steal sensitive data like conversations with the LLM, or the theft of software source code.\r\nThis targeting reflects how AI coding tools have become embedded in almost everyone’s workflow, especially\r\ndevelopers. Theft of this data when combined with SSH and cloud credentials, not only allows the attacker to\r\ncontrol the victim’s computer, but also facilitate access into enterprise networks.\r\nConclusion\r\nThis post documented a malicious npm campaign operating under an account seeking to spoof Google’s Gemini\r\nAI product. As of publication of these findings, additional packages from this actor and others continue to be\r\ndownloaded infecting users with OtterCookie variants. The continued targeting of software developers through the\r\nnpm supply chain and addition of credential theft from LLM tools is a threat that will likely persist across code\r\nrepository sites in a game of whack-a-mole between security teams and bad actors.\r\nCyberandRamen will continue to track this actor, and publish an update if the actor moves to another platform, or\r\nuploads new malware.\r\nFor Defenders\r\nBlock outbound connections to Vercel if feasible, or monitor for connection requests to the platform.\r\nhttps://cyberandramen.net/2026/04/04/ottercookie-expands-targeting-to-ai-coding-tools-analysis-of-a-trojanized-npm-campaign/\r\nPage 8 of 10\n\nUse the KQL queries published by Microsoft to identify suspicious process behavior which is consistent\r\nwith this sample.\r\nReport any packages which are newly published and seek to spoof well-known, established brands.\r\nFor Developers\r\nTreat AI coding tool directories with the same sensitivity as you would apply to .ssh, .aws, .git, etc.\r\nVerify npm package contents (where possible) before installing. Look for discrepancies between package\r\nname and README documentation.\r\nReview social media and npm alerts to see if you may have installed a trojanized package.\r\nNetwork Indicators\r\nType Value Purpose\r\nDownload\r\nURL\r\nserver-check-genimi.vercel[.]app/defy/v3\r\nMalicious domain serving\r\nOtterCookie\r\nDownload\r\nToken\r\nlogo HTTP bearer token\r\nC2 IP\r\nAddress\r\n216.126.237[.]71:4891 (AS14956 –\r\nRouterHosting LLC)\r\nRAT/C2\r\nC2 Port 4896 File exfiltration\r\nC2 Port 4899 Credential Theft\r\nC2 Endpoint /api/service/makelog\r\nInitial connection containing\r\nvictim fingerprinting info\r\nC2 Endpoint /api/service/process C2 command output reporting\r\nFile Indicator\r\nFile SHA-256\r\nOtterCookie d26da2d0f14d8a160f2f937a6081dae0c4b31bb4e5539187a56d658372f33b22\r\nMalicious Package Names\r\nTitle Observed Versions Package/Entity Spoofed\r\ngemini-ai-checker 1.3.3, 1.3.4 Google Gemini AI\r\nexpress-flowlimit 1.3.6, 2.1.6, 2.2.7, 2.2.8 Node JS Express\r\nhttps://cyberandramen.net/2026/04/04/ottercookie-expands-targeting-to-ai-coding-tools-analysis-of-a-trojanized-npm-campaign/\r\nPage 9 of 10\n\nchai-extensions-extras 1.2.5 Chai JavaScript Library\r\nSource: https://cyberandramen.net/2026/04/04/ottercookie-expands-targeting-to-ai-coding-tools-analysis-of-a-trojanized-npm-campaign/\r\nhttps://cyberandramen.net/2026/04/04/ottercookie-expands-targeting-to-ai-coding-tools-analysis-of-a-trojanized-npm-campaign/\r\nPage 10 of 10",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://cyberandramen.net/2026/04/04/ottercookie-expands-targeting-to-ai-coding-tools-analysis-of-a-trojanized-npm-campaign/"
	],
	"report_names": [
		"ottercookie-expands-targeting-to-ai-coding-tools-analysis-of-a-trojanized-npm-campaign"
	],
	"threat_actors": [],
	"ts_created_at": 1775791317,
	"ts_updated_at": 1775826703,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/f94c815300796725fcc66f749381a529dbf9ee78.pdf",
		"text": "https://archive.orkl.eu/f94c815300796725fcc66f749381a529dbf9ee78.txt",
		"img": "https://archive.orkl.eu/f94c815300796725fcc66f749381a529dbf9ee78.jpg"
	}
}