Back to Intelligence

Multi-Platform Infostealer Surge: OtterCookie npm Supply Chain, NWHStealer, and Chrome Extension Session Hijacking

SA
Security Arsenal Team
April 15, 2026
5 min read

Date: 2026-04-15
Source: AlienVault OTX
Category: Infostealer & Credential Theft

Threat Summary

Recent OTX pulses indicate a coordinated escalation in credential-theft operations spanning development supply chains, consumer software distribution, and browser extensions. The primary threat landscape is dominated by three distinct vectors:

  1. Supply Chain Compromise: North Korean threat actor FAMOUS CHOLLIMA is utilizing a sophisticated two-layer obfuscation strategy on npm, distributing the OtterCookie infostealer via benign package wrappers (e.g., big.js) that pull malicious dependencies.
  2. Social Engineering & Fake Sites: The NWHStealer campaign leverages typosquatting domains (e.g., get-proton-vpn.com) and fake gaming mods to distribute Windows-based credential and crypto wallet thieves.
  3. Browser Extension Abuse: A massive campaign involving 108 malicious Chrome extensions is utilizing shared C2 infrastructure (cloudapi.stream) to hijack Google OAuth2 sessions and Telegram Web data. Simultaneously, a Brazilian actor (ANTONIO EDUARDO FREDERICO) is using ClickFix tactics to force-install malicious extensions via Chrome Cloud Management policies.

Collectively, these campaigns aim to harvest high-value credentials (SSH, Crypto Wallets, Banking) and establish persistence within user browsers and development environments.

Threat Actor / Malware Profile

Malware / ActorAttributionDistribution MethodPayload BehaviorC2 / Persistence
OtterCookieFAMOUS CHOLLIMA (NK)Malicious npm packages; big.js wrapper strategy.Credential theft, SSH backdoor, info-stealing (Koalemos/BeaverTail variants).Vercel infrastructure; Hidden SSH backdoors.
NWHStealerUnknownFake VPN sites, Hardware utilities, Gaming mods.Steals browser data, saved passwords, cryptocurrency wallets.Standard HTTP/HTTPS C2; Phishing domains.
notnullOSXalh1mikClickFix social engineering, Malicious DMGs.Targets macOS users with >$10k crypto; Modular Go-written stealer.Custom C2; Registry/LaunchAgent persistence.
Chrome ExtensionsUnknown (Shared Infra)108 Extensions via Web Store / Social Engineering.Google Identity theft via OAuth2; Telegram session hijacking.cloudapi.stream shared infrastructure.
BCB / ClickFixANTONIO EDUARDO FREDERICOClickFix tech support scams.Fake Banco Central do Brasil tool; Banking credential theft.Unauthenticated C2; Chrome Cloud Management force-install.

IOC Analysis

The provided indicators span multiple infrastructure types requiring different blocking strategies:

  • Network Infrastructure (IPv4): Significant activity observed in IP ranges 144.172.0.0/16 (associated with OtterCookie/Vercel abuse) and 144.126.0.0/16 (associated with Chrome Extension C2). These should be blocked at the perimeter.
  • Typosquatting Domains: Domains like get-proton-vpn.com and vpn-proton-setup.com indicate a focus on impersonating legitimate privacy tools. DNS Sinkholing is recommended.
  • File Hashes: Multiple SHA256/MD5 hashes associated with NWHStealer and macOS payloads. These should be uploaded to EDR threat feeds for immediate execution blocking.
  • Registry/Policy Artifacts: The ClickFix campaign leverages Chrome Cloud Management tokens. SOC teams should audit registry keys for forced extension enrollments.

Detection Engineering

Sigma Rules

YAML
---
title: Potential OtterCookie NPM Supply Chain Activity
id: 8a7f9d12-3b4c-4f1e-9a0d-2c5e6f8a1b3c
description: Detects suspicious npm package execution patterns associated with OtterCookie wrapper packages invoking obfuscated scripts.
status: experimental
date: 2026/04/15
author: Security Arsenal
references:
    - https://otx.alienvault.com/pulse/6427f8d9-1c2a-4b3e-8f7d-9e1a2b3c4d5e
tags:
    - attack.supply_chain
    - attack.execution
    - ottercookie
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        ParentImage|endswith:
            - '\node.exe'
            - '\npm.cmd'
        Image|endswith:
            - '\cmd.exe'
            - '\powershell.exe'
        CommandLine|contains:
            - 'preinstall'
            - 'postinstall'
    condition: selection
falsepositives:
    - Legitimate npm package installation scripts
level: high
---
title: Chrome Extension Force Install via Cloud Management
id: 9b8e0c23-4c5d-5e2f-0a1e-3d6f7a8b9c0d
description: Detects registry modifications indicative of the ClickFix campaign force-installing malicious Chrome extensions via Cloud Management policies.
status: experimental
date: 2026/04/15
author: Security Arsenal
references:
    - https://otx.alienvault.com/pulse/1a2b3c4d-5e6f-7a8b-9c0d-1e2f3a4b5c6d
tags:
    - attack.persistence
    - attack.privilege_escalation
    - clickfix
logsource:
    product: windows
    category: registry_set
detection:
    selection:
        TargetObject|contains: 'Software\Policies\Google\Chrome\ExtensionInstallForcelist'
    condition: selection
falsepositives:
    - Legitimate IT administration forcing internal extensions
level: high
---
title: Infostealer C2 Communication - cloudapi.stream
id: 0c1d2e3f-4a5b-6c7d-8e9f-0a1b2c3d4e5f
description: Detects network connections to the shared C2 infrastructure used by 108 malicious Chrome extensions.
status: experimental
date: 2026/04/15
author: Security Arsenal
references:
    - https://otx.alienvault.com/pulse/2b3c4d5e-6f7a-8b9c-0d1e-2f3a4b5c6d7e
tags:
    - attack.c2
    - attack.exfiltration
    - chrome-extension
logsource:
    category: network_connection
    product: windows
detection:
    selection:
        DestinationHostname|contains:
            - 'cloudapi.stream'
            - 'crm.cloudapi.stream'
    condition: selection
falsepositives:
    - Unknown (low legitimate traffic volume expected)
level: critical

KQL (Microsoft Sentinel)

KQL — Microsoft Sentinel / Defender
// Hunt for network connections to known IOCs and C2 infrastructure
let IOCDomains = dynamic(["cloudapi.stream", "get-proton-vpn.com", "vpn-proton-setup.com", "coockie.pro", "xpie348.online"]);
let IOCIPs = dynamic(["144.172.110.228", "107.189.22.20", "144.172.110.96", "144.172.110.132", "144.172.116.22", "144.172.93.169", "144.172.93.253", "144.172.99.248", "83.217.209.88", "144.126.135.238", "144.126.140.33"]);
DeviceNetworkEvents
| where RemoteUrl has_any (IOCDomains) or RemoteIP has_any (IOCIPs)
| project Timestamp, DeviceName, InitiatingProcessAccountName, RemoteUrl, RemoteIP, RemotePort
| extend Timestamp = format_datetime(Timestamp, 'yyyy-MM-dd HH:mm:ss')

PowerShell Hunt Script

PowerShell
# IOC Hunt for Chrome Extension Registry Keys and File Hashes
$MaliciousHashes = @(
    "5cb3b902ae5993ae4e502f1c29cfb4e0",
    "8ef6bcde887786d1a96497fa9aa04fd4e1eb02b0",
    "2494709b8a2646640b08b1d5d75b6bfb3167540ed4acdb55ded050f6df9c53b3",
    "401c125517b1f845289bf0a7a33e5db0391034f631eab85dd65b76b7fec9a959",
    "386d4093f70219b8291d3f9e6f71ee1f"
)

Write-Host "[+] Checking for Malicious Chrome Extension Policies..." -ForegroundColor Cyan
$RegPath = "HKLM:\SOFTWARE\Policies\Google\Chrome\ExtensionInstallForcelist"
if (Test-Path $RegPath) {
    $Policies = Get-Item $RegPath
    Write-Host "[!] WARNING: Chrome Force-Install Policies Found:" -ForegroundColor Red
    $Policies.Property | ForEach-Object { Write-Host " - Policy: $_" }
} else {
    Write-Host "[-] No Force-Install Policies detected." -ForegroundColor Green
}

Write-Host "[+] Scanning for specific file hashes (Requires Admin rights for full scan)..." -ForegroundColor Cyan
# This is a placeholder; a full disk scan would take significantly longer.
# In a real scenario, integrate with your AV/EDR API or use Get-ChildItem recursively.
Write-Host "[-] Skipping deep file scan. Please manually audit downloads against: $($MaliciousHashes -join ', ')" -ForegroundColor Yellow

Response Priorities

  • Immediate: Block all cloudapi.stream subdomains and the listed IP ranges at the firewall/proxy. Push the provided Sigma rules to SIEM/EDR for alerting.
  • 24h: Initiate a credential reset for all accounts accessed from infected endpoints. Identity verification is critical given the session-hijacking nature of the Chrome extensions.
  • 1 Week: Audit npm supply chain security (enforce 2FA, review package permissions) and implement strict allow-listing for browser extensions. Review Chrome Cloud Management enrollment tokens to identify unauthorized policy enrollments.

Related Resources

Security Arsenal Incident Response
Managed SOC & MDR Services
AlertMonitor Threat Detection
From The Dark Side Intel Hub

darkwebotx-pulsedarkweb-credentialsottercookienwhstealerchrome-extensionsclickfixinfostealer

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action