{"slug": "node-env-resolve-npm-package-installs-a-full-rat", "title": "node-env-resolve: npm Package Installs a Full RAT", "summary": "The malicious npm package `node-env-resolve`, disguised as a lightweight environment configuration resolver, installs a full remote access trojan (RAT) on victim machines upon execution of `npm install`. The package, published by maintainer `user0001` and downloaded 1,293 times in the last 30 days, copies a persistent agent to a hidden directory, registers it for autostart, and connects to a command-and-control server at `hxxp://152.67.0.53:8471`, enabling remote operators to stream screens, capture audio, control mouse and keyboard, access browser history, and read or write files. The RAT's capabilities match the OtterCookie toolkit linked to North Korean Contagious Interview campaign packages, posing a significant supply chain security threat to Node.js developers.", "body_md": "# node-env-resolve: npm Package Installs a Full RAT\n\n### Table of Contents\n\n## TL;DR\n\n`node-env-resolve`\n\nis a malicious npm package that ships a full remote access trojan (RAT) disguised as a “lightweight environment configuration resolver.” Running `npm install node-env-resolve`\n\ncopies a persistent agent to a hidden directory, registers it as an autostart service, and connects to a command-and-control server at `hxxp://152.67.0.53:8471`\n\n. From there, a remote operator gets live screen streaming, microphone and system audio capture, full mouse and keyboard control, browser history access, and arbitrary file read/write on the victim machine. The dependency set matches the OtterCookie RAT toolkit, documented across multiple North Korean Contagious Interview campaign packages.\n\n## What the Package Claims to Be\n\nThe `package.json`\n\ndescription reads “Lightweight environment configuration resolver for Node.js.” The actual source files tell a different story: `audioCapture.js`\n\n, `browserHistory.js`\n\n, `screenCapture.js`\n\n, `sleepPreventer.js`\n\n, `inputHandler.js`\n\n. There is no environment resolution logic anywhere in the package.\n\nMaintainer `user0001`\n\n(\n\n) published 10 versions over 8 days (April 25 to May 2, 2026), with 1,293 downloads recorded in the last 30 days. The same account also published [[email protected]](/cdn-cgi/l/email-protection)`connector-agent`\n\n, `node-gyp-runtime`\n\n, `centralogger`\n\n, `node-fetch-lite`\n\n, and `dom-utils-lite`\n\n. The C2 IP was a `localhost`\n\nplaceholder in versions 1.0.0 and 1.0.1, then switched to the live address `152.67.0.53:8471`\n\nfrom version 1.0.2 onward.\n\n## The Dropper: `postinstall.js`\n\nThe `postinstall`\n\nhook fires automatically on install. It copies the full agent into a hidden directory named after the legitimate `node-gyp`\n\ntoolchain, installs dependencies there silently, registers platform-specific persistence, then immediately starts the agent:\n\nOn Windows, persistence goes into the registry Run key via a hidden VBScript launcher:\n\nIf that fails, the fallback drops `ConnectorService.vbs`\n\ninto `%APPDATA%\\Microsoft\\Windows\\Start Menu\\Programs\\Startup`\n\n.\n\nOn macOS, it writes `~/Library/LaunchAgents/com.user.connector.plist`\n\nwith `KeepAlive: true`\n\n. On Linux, it writes `~/.config/autostart/connector.desktop`\n\n. All three paths require no elevated privileges.\n\n## The Payload: What the Agent Does\n\nThe agent (`src/index.js`\n\n) connects to `hxxp://152.67.0.53:8471/agent`\n\nvia Socket.IO with infinite reconnection (2s to 30s exponential backoff). On connection, it registers the machine with a stable 12-character fingerprint:\n\nThe operator then drives the agent through socket events. The full capability set:\n\n| Event | Action |\n|---|---|\n`screen:start` | JPEG-compressed screenshots at up to 4 FPS, streamed as base64 |\n`mouse:move/click/scroll` | Full mouse control via `@nut-tree-fork/nut-js` |\n`keyboard:type/key/combo` | Full keyboard input injection |\n`audio:start` | Microphone or system audio via `ffmpeg` , streamed as raw PCM |\n`history:request` | Chrome, Edge, Firefox SQLite history databases (copies locked DB to temp first) |\n`files:list/read/download` | Browse filesystem, read text files up to 500KB, download binaries up to 10MB |\n`file:write/delete` | Remote file write and delete within user profile |\n`folder:zip` | Zip and exfiltrate entire folders up to 50MB |\n`file:upload` | Push arbitrary files from operator to victim |\n`agent:kill` | Remove all persistence entries and exit |\n\nThe sleep preventer runs on startup and stays active for the session’s duration. On Windows it runs a hidden PowerShell loop that refreshes the cursor position every 30 seconds. On macOS it calls `caffeinate -dimsu`\n\n. On Linux it calls `systemd-inhibit`\n\n. The intent is uninterrupted screen access during a remote session.\n\nBrowser history extraction bypasses file locking by copying the SQLite database to a temp path before querying it:\n\nThis works against Chrome, Edge, and Firefox profiles without the browser needing to be closed.\n\n## Toolkit Attribution: OtterCookie Fingerprint\n\nThe six runtime dependencies in `node-env-resolve`\n\nform a documented fingerprint. Researchers tracking the Contagious Interview campaign (North Korea’s DPRK/Lazarus-linked operation targeting developers via fake job interviews) have identified this exact combination as the OtterCookie RAT toolkit:\n\n| Dependency | Role | OtterCookie match |\n|---|---|---|\n`socket.io-client` | C2 transport | yes |\n`screenshot-desktop` | Screen capture | yes |\n`sharp` | Image compression for streaming | yes |\n`@nut-tree-fork/nut-js` | Mouse and keyboard control | yes (documented as newer-variant addition) |\n`better-sqlite3` | Browser history via SQLite | yes |\n`node-machine-id` | Stable device fingerprint | yes |\n\nSafeDep’s earlier analysis of [ express-session-js](https://safedep.io/malicious-npm-package-express-session-js/), a confirmed Contagious Interview package, found the same toolkit connecting to a different C2 at\n\n`216.126.237.71`\n\n. The April 2026 DPRK campaign wave documented by [The Hacker News](https://thehackernews.com/2026/04/new-wave-of-dprk-attacks-uses-ai.html)explicitly names\n\n`@nut-tree-fork/nut-js`\n\nas a capability upgrade in newer OtterCookie variants, enabling full remote desktop interaction beyond the basic screenshot-and-clipboard theft seen in earlier versions.The C2 address `152.67.0.53:8471`\n\ndoes not appear in any published Contagious Interview IOC list. The `152.67.x.x`\n\nblock belongs to Oracle Cloud APAC. Documented campaign infrastructure has leaned on RouterHosting (AS14956), Vercel deployments, and Pastebin-based staging. Whether this is infrastructure rotation by the same operators or a criminal actor reusing the published toolkit is not conclusive from static analysis alone. The toolkit match is exact; attribution to DPRK specifically is assessed with moderate confidence.\n\n`node-env-resolve`\n\nadds microphone and system audio capture and a remote self-uninstall command (`agent:kill`\n\n) that do not appear in documented OtterCookie writeups, suggesting active development beyond the baseline campaign tooling.\n\n## Indicators of Compromise\n\n**Packages (malicious from v1.0.2):**\n\n`node-env-resolve`\n\nversions 1.0.2 through 1.0.9\n\n**Related packages (same maintainer user0001):**\n\n`connector-agent`\n\n,`node-gyp-runtime`\n\n,`centralogger`\n\n,`node-fetch-lite`\n\n,`dom-utils-lite`\n\n**C2:**\n\n`hxxp://152[.]67[.]0[.]53:8471`\n\n(Socket.IO, namespace`/agent`\n\n)\n\n**Filesystem:**\n\n| Platform | Path |\n|---|---|\n| Windows | `%APPDATA%\\node-gyp-cache\\` |\n| Windows | `%APPDATA%\\node-gyp-cache\\launcher.vbs` |\n| Windows (fallback) | `%APPDATA%\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\ConnectorService.vbs` |\n| macOS | `~/.node-gyp-cache/` |\n| macOS | `~/Library/LaunchAgents/com.user.connector.plist` |\n| Linux | `~/.node-gyp-cache/` |\n| Linux | `~/.config/autostart/connector.desktop` |\n| All (temp) | `<tmpdir>/connector_{chrome,edge,firefox}_history_copy.db` |\n\n**Registry (Windows):**\n\n`HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\node-gyp-cache`\n\n**Maintainer:**\n\n- npm username:\n`user0001`\n\n- Email:\n[[email protected]](/cdn-cgi/l/email-protection)\n\n## Verdict\n\n`node-env-resolve`\n\nis a purpose-built RAT delivery vehicle with no legitimate functionality. Any version from 1.0.2 onward installs persistent remote access on the developer’s machine. The toolkit is a direct match for the OtterCookie family tied to North Korea’s Contagious Interview campaign. The package remains active on the npm registry at time of writing.\n\n**Related:**\n\n- npm\n- oss\n- malware\n- supply-chain\n- rat\n\n### Author\n\n#### SafeDep Team\n\nsafedep.io\n\n### Share\n\n## The Latest from SafeDep blogs\n\nFollow for the latest updates and insights on open source security & engineering\n\n[141 npm Packages Abuse Registry as Adware Hosting](/malicious-npm-terminal3airport-proxy-adware-spam)\n\nnpm account terminal3airport published 141 packages containing a web proxy unblocker disguised as tutoring websites. The packages load popunder ads, external monetization scripts, and Google...\n\n[Megalodon: Mass GitHub Repo Backdooring via CI Workflows](/megalodon-mass-github-repo-backdooring-ci-workflows)\n\nOver 5,700 malicious commits were pushed to GitHub repositories on May 18, 2026, replacing GitHub Actions workflows with base64-encoded secret exfiltration payloads. The \"megalodon\" campaign targeted...\n\n[forge-jsxy: 22 Versions of an Actively Developed npm RAT](/malicious-forge-jsxy-npm-rat-evolution)\n\nforge-jsxy picked up where the taken-down forge-jsx left off, publishing 22 versions over 22 days. Each release added new capabilities: crypto wallet scanning, Chromium extension theft, WebRTC data...\n\n[Polymarket npm Packages Steal Crypto Wallet Keys](/malicious-polymarket-npm-crypto-wallet-drainer)\n\nNine coordinated npm packages target Polymarket traders with a social-engineered postinstall prompt that exfiltrates raw private keys to a Cloudflare Worker. The attacker published all packages...\n\n## Ship Code.\n\n## Not Malware.\n\nStart free with open source tools on your machine. Scale to a unified platform for your organization.", "url": "https://wpnews.pro/news/node-env-resolve-npm-package-installs-a-full-rat", "canonical_source": "https://safedep.io/malicious-npm-node-env-resolve-rat", "published_at": "2026-05-03 10:00:00+00:00", "updated_at": "2026-05-27 08:40:34.938955+00:00", "lang": "en", "topics": ["ai-safety"], "entities": ["node-env-resolve", "OtterCookie RAT", "user0001", "connector-agent", "node-gyp-runtime", "centralogger", "node-fetch-lite", "dom-utils-lite"], "alternates": {"html": "https://wpnews.pro/news/node-env-resolve-npm-package-installs-a-full-rat", "markdown": "https://wpnews.pro/news/node-env-resolve-npm-package-installs-a-full-rat.md", "text": "https://wpnews.pro/news/node-env-resolve-npm-package-installs-a-full-rat.txt", "jsonld": "https://wpnews.pro/news/node-env-resolve-npm-package-installs-a-full-rat.jsonld"}}