cd /news/ai-safety/node-env-resolve-npm-package-install… · home topics ai-safety article
[ARTICLE · art-15068] src=safedep.io ↗ pub= topic=ai-safety verified=true sentiment=↓ negative

node-env-resolve: npm Package Installs a Full RAT

The malicious npm package `node-env-resolve`, disguised as a lightweight environment configuration resolver, installs a full remote access trojan (RAT) on victim machines upon execution of `npm install`. The package, published by maintainer `user0001` and downloaded 1,293 times in the last 30 days, copies a persistent agent to a hidden directory, registers it for autostart, and connects to a command-and-control server at `hxxp://152.67.0.53:8471`, enabling remote operators to stream screens, capture audio, control mouse and keyboard, access browser history, and read or write files. The RAT's capabilities match the OtterCookie toolkit linked to North Korean Contagious Interview campaign packages, posing a significant supply chain security threat to Node.js developers.

read6 min views14 publishedMay 3, 2026

Table of Contents

TL;DR #

node-env-resolve is a malicious npm package that ships a full remote access trojan (RAT) disguised as a “lightweight environment configuration resolver.” Running npm install node-env-resolve

copies a persistent agent to a hidden directory, registers it as an autostart service, and connects to a command-and-control server at hxxp://152.67.0.53:8471

. From there, a remote operator gets live screen streaming, microphone and system audio capture, full mouse and keyboard control, browser history access, and arbitrary file read/write on the victim machine. The dependency set matches the OtterCookie RAT toolkit, documented across multiple North Korean Contagious Interview campaign packages.

What the Package Claims to Be #

The package.json

description reads “Lightweight environment configuration resolver for Node.js.” The actual source files tell a different story: audioCapture.js

, browserHistory.js

, screenCapture.js

, sleepPreventer.js

, inputHandler.js

. There is no environment resolution logic anywhere in the package.

Maintainer user0001

( ) published 10 versions over 8 days (April 25 to May 2, 2026), with 1,293 downloads recorded in the last 30 days. The same account also published [email protected]connector-agent

, node-gyp-runtime , centralogger

, `node-fetch-lite`

, and `dom-utils-lite`

. The C2 IP was a localhost

placeholder in versions 1.0.0 and 1.0.1, then switched to the live address 152.67.0.53:8471

from version 1.0.2 onward.

The Dropper: postinstall.js #

The postinstall

hook fires automatically on install. It copies the full agent into a hidden directory named after the legitimate node-gyp

toolchain, installs dependencies there silently, registers platform-specific persistence, then immediately starts the agent:

On Windows, persistence goes into the registry Run key via a hidden VBScript launcher:

If that fails, the fallback drops ConnectorService.vbs into %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup

.

On macOS, it writes ~/Library/LaunchAgents/com.user.connector.plist

with KeepAlive: true

. On Linux, it writes ~/.config/autostart/connector.desktop

. All three paths require no elevated privileges.

The Payload: What the Agent Does #

The agent (src/index.js

) connects to hxxp://152.67.0.53:8471/agent via Socket.IO with infinite reconnection (2s to 30s exponential backoff). On connection, it registers the machine with a stable 12-character fingerprint:

The operator then drives the agent through socket events. The full capability set:

Event Action
screen:start JPEG-compressed screenshots at up to 4 FPS, streamed as base64
mouse:move/click/scroll Full mouse control via @nut-tree-fork/nut-js
keyboard:type/key/combo Full keyboard input injection
audio:start Microphone or system audio via ffmpeg , streamed as raw PCM
history:request Chrome, Edge, Firefox SQLite history databases (copies locked DB to temp first)
files:list/read/download Browse filesystem, read text files up to 500KB, download binaries up to 10MB
file:write/delete Remote file write and delete within user profile
folder:zip Zip and exfiltrate entire folders up to 50MB
file:upload Push arbitrary files from operator to victim
agent:kill Remove all persistence entries and exit

The sleep preventer runs on startup and stays active for the session’s duration. On Windows it runs a hidden PowerShell loop that refreshes the cursor position every 30 seconds. On macOS it calls caffeinate -dimsu

. On Linux it calls systemd-inhibit

. The intent is uninterrupted screen access during a remote session.

Browser history extraction bypasses file locking by copying the SQLite database to a temp path before querying it:

This works against Chrome, Edge, and Firefox profiles without the browser needing to be closed.

Toolkit Attribution: OtterCookie Fingerprint #

The six runtime dependencies in node-env-resolve

form a documented fingerprint. Researchers tracking the Contagious Interview campaign (North Korea’s DPRK/Lazarus-linked operation targeting developers via fake job interviews) have identified this exact combination as the OtterCookie RAT toolkit:

Dependency Role OtterCookie match
socket.io-client C2 transport yes
screenshot-desktop Screen capture yes
sharp Image compression for streaming yes
@nut-tree-fork/nut-js Mouse and keyboard control yes (documented as newer-variant addition)
better-sqlite3 Browser history via SQLite yes
node-machine-id Stable device fingerprint yes

SafeDep’s earlier analysis of express-session-js, a confirmed Contagious Interview package, found the same toolkit connecting to a different C2 at

216.126.237.71

. The April 2026 DPRK campaign wave documented by [The Hacker News](https://thehackernews.com/2026/04/new-wave-of-dprk-attacks-uses-ai.html)explicitly names

`@nut-tree-fork/nut-js`

as a capability upgrade in newer OtterCookie variants, enabling full remote desktop interaction beyond the basic screenshot-and-clipboard theft seen in earlier versions.The C2 address 152.67.0.53:8471

does not appear in any published Contagious Interview IOC list. The 152.67.x.x

block belongs to Oracle Cloud APAC. Documented campaign infrastructure has leaned on RouterHosting (AS14956), Vercel deployments, and Pastebin-based staging. Whether this is infrastructure rotation by the same operators or a criminal actor reusing the published toolkit is not conclusive from static analysis alone. The toolkit match is exact; attribution to DPRK specifically is assessed with moderate confidence.

node-env-resolve adds microphone and system audio capture and a remote self-uninstall command (agent:kill

) that do not appear in documented OtterCookie writeups, suggesting active development beyond the baseline campaign tooling.

Indicators of Compromise #

**Packages (malicious from v1.0.2):**

`node-env-resolve`

versions 1.0.2 through 1.0.9

Related packages (same maintainer user0001): connector-agent

,node-gyp-runtime ,centralogger

,`node-fetch-lite`

,`dom-utils-lite`

C2:

hxxp://152[.]67[.]0[.]53:8471 (Socket.IO, namespace/agent

) Filesystem:

Platform Path
Windows %APPDATA%\node-gyp-cache\
Windows %APPDATA%\node-gyp-cache\launcher.vbs
Windows (fallback) %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\ConnectorService.vbs
macOS ~/.node-gyp-cache/
macOS ~/Library/LaunchAgents/com.user.connector.plist
Linux ~/.node-gyp-cache/
Linux ~/.config/autostart/connector.desktop
| All (temp) | `<tmpdir>/connector_{chrome,edge,firefox}_history_copy.db` |

**Registry (Windows):**

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\node-gyp-cache

Maintainer:

  • npm username: user0001
- Email:
[[email protected]](/cdn-cgi/l/email-protection)

Verdict #

node-env-resolve is a purpose-built RAT delivery vehicle with no legitimate functionality. Any version from 1.0.2 onward installs persistent remote access on the developer’s machine. The toolkit is a direct match for the OtterCookie family tied to North Korea’s Contagious Interview campaign. The package remains active on the npm registry at time of writing.

Related:

  • npm
  • oss
  • malware
  • supply-chain
  • rat

Author

SafeDep Team

safedep.io

Share

The Latest from SafeDep blogs #

Follow for the latest updates and insights on open source security & engineering

141 npm Packages Abuse Registry as Adware Hosting npm account terminal3airport published 141 packages containing a web proxy unblocker disguised as tutoring websites. The packages load popunder ads, external monetization scripts, and Google...

Megalodon: Mass GitHub Repo Backdooring via CI Workflows Over 5,700 malicious commits were pushed to GitHub repositories on May 18, 2026, replacing GitHub Actions workflows with base64-encoded secret exfiltration payloads. The "megalodon" campaign targeted...

forge-jsxy: 22 Versions of an Actively Developed npm RAT forge-jsxy picked up where the taken-down forge-jsx left off, publishing 22 versions over 22 days. Each release added new capabilities: crypto wallet scanning, Chromium extension theft, WebRTC data...

Polymarket npm Packages Steal Crypto Wallet Keys Nine coordinated npm packages target Polymarket traders with a social-engineered postinstall prompt that exfiltrates raw private keys to a Cloudflare Worker. The attacker published all packages...

Ship Code. #

Not Malware. #

Start free with open source tools on your machine. Scale to a unified platform for your organization.

── more in #ai-safety 4 stories · sorted by recency
── more on @node-env-resolve 3 stories trending now
sponsored brought to you by zahid.host 4,200+ EU-deployed projects
reading about agents? ship yours in a single git push.

Run your AI side-project on zahid.host

EU-based hosting, git-push deploys, automatic HTTPS, no cold starts. Free tier with a custom domain — perfect for shipping the agent you just read about.

$git push zahid main
Live at https://your-agent.zahid.host
Get free account → Pricing
from €0/mo · no card required
LIVE [news/node-env-resolve-npm…] indexed:0 read:6min 2026-05-03 ·