THE report, authored by Xavier Mertens, discusses a newly discovered Node.js malware classified as a cross-platform NPM stealer targeting Windows (WSL), macOS, and Linux. The malicious code is obfuscated but includes embedded plain-text payloads. It features a browser credential stealer supporting various browsers, a recursive file exfiltration scanner for sensitive files, and a WebSocket connection for communication with a command and control (C2) server known for DPRK activities.
Notably, data exfiltration is conducted via specific ports (8085, 8086, 8087), and the malware employs various techniques to facilitate its operations while communicating securely with its C2 server.