A newly discovered malware strain called OtterCookie is targeting software developers with sophisticated credential theft capabilities, according to recent analysis from security researchers. The Node.js-based remote access trojan (RAT) is designed to harvest sensitive data including SSH keys, cloud service credentials, authentication tokens, and development secrets directly from active developer workstations.

Initial assessments suggested OtterCookie might be related to the previously documented BeaverTail malware family, but further analysis has confirmed it operates as a completely separate threat. The malware features its own distinct command-and-control architecture and demonstrates a more aggressive approach to persistent surveillance compared to earlier threats targeting the developer community.

OtterCookie's technical implementation leverages Node.js to maintain cross-platform compatibility, allowing it to compromise Windows, macOS, and Linux development environments. The malware's primary function centers on real-time data collection, continuously monitoring developer activities and extracting credentials as they are used in daily workflows. This approach enables attackers to capture authentication materials that might otherwise be protected by encryption at rest or secure storage mechanisms.

The impact of OtterCookie infections extends beyond individual developer machines to potentially compromise entire cloud infrastructures and source code repositories. Stolen SSH keys can provide persistent access to version control systems and production servers, while captured cloud credentials may enable unauthorized access to AWS, Azure, Google Cloud, or other platform resources. Authentication tokens for services like GitHub, GitLab, or CI/CD pipelines represent additional high-value targets that could facilitate supply chain attacks.

Organizations employing software development teams should take immediate defensive action. Priority steps include conducting forensic audits of developer workstations for indicators of compromise, implementing mandatory rotation of all SSH keys and cloud service credentials, and deploying enhanced monitoring for unusual network traffic or data exfiltration patterns. Development teams should also review and strengthen their secrets management practices, implement hardware security keys where possible, and ensure endpoint detection and response (EDR) solutions are actively monitoring all developer systems for suspicious Node.js process behavior.

Source: https://gbhackers.com/ottercookie-malware-steals-dev-secrets/