malware npm

node-env-resolve

discovered 2026-05-03

node-env-resolve is identified in the SafeDep analysis "node-env-resolve: npm Package Installs a Full RAT". node-env-resolve is a malicious npm package that installs a full-featured remote access trojan on developer machines. The RAT streams screens, captures audio, steals browser history, and gives full mouse and keyboard control to a remote operator. The toolkit matches the OtterCookie RAT family linked to North Korea's Contagious Interview campaign.

more…

Threat types

credential_stealer data_exfiltration rat persistence

Malicious versions

1.0.3

Campaigns

tanvisoul9 npm Backdoorsattributed-to

Indicators

domain 152.67.0.53communicates-with
ipv4 152.67.0.53communicates-with
ipv4 216.126.237.71communicates-with
email tanvisoul9@gmail.comexfiltrates-to

Techniques

ttp T1195.001 Supply Chain Compromise: Compromise Software Dependencies and Development Toolsuses
ttp T1059.007 Command and Scripting Interpreter: JavaScriptuses
ttp T1552.001 Unsecured Credentials: Credentials In Filesuses
ttp T1041 Exfiltration Over C2 Channeluses
ttp T1552.004 Unsecured Credentials: Private Keysuses
ttp T1539 Steal Web Session Cookieuses
ttp T1105 Ingress Tool Transferuses
ttp T1071.001 Application Layer Protocol: Web Protocolsuses
ttp T1546 Event Triggered Executionuses

Read the full analysis →