npm

node-env-resolve

node-env-resolve is identified in the SafeDep analysis "node-env-resolve: npm Package Installs a Full RAT". node-env-resolve is a malicious npm package that installs a full-featured remote access trojan on developer machines. The RAT streams screens, captures audio, steals browser history, and gives full mouse and keyboard control to a remote operator. The toolkit matches the OtterCookie RAT family linked to North Korea's Contagious Interview campaign.

discovered 2026-05-03

Threat types

credential_stealerdata_exfiltrationratpersistence

Malicious versions

1.0.3

Campaigns

tanvisoul9 npm Backdoorsattributed-to

Indicators

domain152.67.0.53communicates-with
ipv4152.67.0.53communicates-with
ipv4216.126.237.71communicates-with
email[email protected]exfiltrates-to

Techniques

ttpT1195.001 Supply Chain Compromise: Compromise Software Dependencies and Development Toolsuses
ttpT1059.007 Command and Scripting Interpreter: JavaScriptuses
ttpT1552.001 Unsecured Credentials: Credentials In Filesuses
ttpT1041 Exfiltration Over C2 Channeluses
ttpT1552.004 Unsecured Credentials: Private Keysuses
ttpT1539 Steal Web Session Cookieuses
ttpT1105 Ingress Tool Transferuses
ttpT1071.001 Application Layer Protocol: Web Protocolsuses
ttpT1546 Event Triggered Executionuses

Read the full analysis →