Login

u/_redasgard

▲ 6 r/blueteamsec+1 crossposts

OtterCookie: the JavaScript RAT that turned developer compromise into live surveillance

OtterCookie is not “BeaverTail but again.”

That is the part I think matters.

BeaverTail mostly grabbed saved stuff from a developer machine.

OtterCookie keeps watching the machine after that: Socket.IO / Engine.IO, live victim rosters, clipboard, keystrokes, screenshots, browser data, wallet artifacts, dev secrets.

Less “dump the box once.” More “sit on the box while the dev keeps working.”

The annoying detection problem:

developer workstations are already garbage fires.

Node tooling, random high ports, local services, package installs, Vercel/npm traffic, Socket.IO noise. A lot of this looks dumb but normal.

So where is the line?

What would make you look at outbound Socket.IO / Engine.IO from a dev workstation and say: yeah, this is not normal Node nonsense anymore?

No creds / victim names / live paths / exploit steps in the write-up.

redasgard.com
u/_redasgard — 5 days ago
▲ 2 r/cybersecurity

Developer credential-stealing pipeline also collected operator workstations

I’m working through a public-safe narrative write-up from a larger investigation into fake-interview developer compromise campaigns.

The finding I think is worth discussing:

Five machines in the victim dataset were not normal victims. They appeared to be operator or campaign-side workstations.

The pattern matters because the exfiltration pipeline did not classify trust boundaries before collection. If a machine touched the toolchain, it was processed like any other compromised developer endpoint.

That creates a strange defensive lesson: indiscriminate collection can expose the operators themselves.

High-level takeaways:

  1. Developer workstations should be treated as supply-chain infrastructure.

  2. Malware testing and campaign staging can create operator-side exposure.

  3. Large credential pipelines create internal data-spillage risk for the attackers too.

  4. Attribution should stay cautious when infrastructure, tooling, contractors, and operators are not the same thing.

I intentionally removed victim identifiers, live endpoints, credentials, access mechanics, and reusable exploitation details.

Question for defenders:

How would you distinguish operator self-infection from ordinary victim compromise in a large credential-exfiltration dataset without overclaiming?

reddit.com
u/_redasgard — 6 days ago