OTTERCOOKIE Malware Hides in SVG Files in Fake Coding Tests

Brendan Smith
Brendan Smith - Cybersecurity Analyst
5 Min Read
OTTERCOOKIE payload hidden inside SVG flag files in a fake coding test.
SVG flag files conceal fragments that assemble the OTTERCOOKIE payload when the project starts.

A fake developer coding test can look functional while its SVG flag files quietly store pieces of OTTERCOOKIE malware. Elastic Security Labs documented the REF9403 campaign after a developer received a supposed job opportunity through Slack. The repository ran as expected, but npm run dev also loaded serverValidation.js, reconstructed Base64 fragments hidden in assets/flags/*.svg, and executed them in memory [1].

The important distinction is that merely viewing one of the SVG images is not the observed trigger. The malicious chain starts when the target installs dependencies and launches the project. That makes this campaign more convincing than a broken sample: the coding exercise can work well enough to lower suspicion.

How OTTERCOOKIE hides inside SVG files

The repository contains ordinary country-flag images. In their source, HTML comments hold encoded payload fragments. The loader enumerates the SVG files, sorts them, extracts the comments, joins the fragments, decodes the result, and passes it to eval. An image preview therefore looks harmless even though a source or hex view exposes the concealed data.

AE.svg flag file with a Base64 fragment hidden inside an HTML comment.
An SVG flag renders normally while its source contains an encoded payload fragment. Source: Elastic Security Labs.

This is steganography used for delivery rather than a browser exploit. The attacker relies on a developer trusting a repository and running its startup command. Microsoft has separately described the broader Contagious Interview operation, where North Korean-linked actors pose as recruiters and send developers malicious projects or troubleshooting tasks [2].

What runs after npm run dev

Elastic grouped the JavaScript into four capabilities. One steals browser credentials and extension databases associated with cryptocurrency wallets. Another searches for documents and secrets, including .env, .ssh, .aws, and .azure. A Socket.IO component provides remote-access functions, while a fourth module monitors the clipboard and can fetch a Windows payload.

The process may rename itself to npm-cache to blend into a development system. Observed infrastructure included rightwidth[.]dev and the ldb, upload, controller, and file subdomains. Windows downloads used service-like names such as hostService.exe, printSvc.exe, and dhcpSvc.exe. The reporting team could not recover those second-stage files from the unavailable server, so their exact function remains unconfirmed.

Diagram of fake coding-test delivery and OTTERCOOKIE stealing modules.
The observed chain moves from a fake job post to a coding challenge and four OTTERCOOKIE modules. Source: Elastic Security Labs.

What to check after running a suspicious coding test

  1. Disconnect the system from the network. Do not keep testing the repository or contact its domains from the suspected host.
  2. Preserve the repository and logs. Record the recruiter account, repository URL, commit hash, terminal history, Node processes, PowerShell activity, and network connections before cleanup.
  3. Inspect startup code and SVG sources. Search for serverValidation.js, assets/flags, long Base64 comments, dynamic eval, rightwidth.dev, and a process title of npm-cache.
  4. Assume credentials and sessions are exposed. From a separate clean device, revoke browser sessions, rotate passwords and developer tokens, replace cloud keys, and review wallet activity. Our password-stealer response guide explains the order.
  5. Check the whole host. Security software may stop a visible Node or PowerShell process while missing a stolen session, an earlier RAT connection, or a second-stage executable. Scan for remaining artifacts and persistence, then use the broader fake job interview malware cleanup checklist.

If high-value credentials, wallet material, signing keys, or production access were present, the safest recovery may be a clean Windows reinstall from trusted media. Scanning is useful for locating artifacts; it cannot reverse credential theft or prove that cloud and browser sessions were not copied.

How developers can reduce the risk

Open unfamiliar assignments in a disposable virtual machine without personal browser profiles, SSH agents, cloud CLIs, password managers, or wallet extensions. Review package.json scripts and server entry points before installing dependencies. A working interface is not evidence that the repository is safe, and an SVG file deserves source inspection when project code programmatically reads it.

References

  1. Elastic Security Labs — Contagious Interview malware uses SVG steganography, July 2026.
  2. Microsoft Threat Intelligence — Contagious Interview malware delivered through fake developer job interviews, March 11, 2026.
Share This Article
Cybersecurity Analyst
Follow:
Brendan Smith has spent over 15 years knee-deep in cybersecurity, chasing down malware from the gritty reverse-engineering of old-school trojans all the way to wrangling full-blown incident responses for small-to-medium businesses that couldn’t afford a full-blown breach. Over at Gridinsoft, he’s the guy piecing together those double-checked guides on nasty stuff like AsyncRAT ransomware—take last year, for instance, when his breakdowns caught more than 200 sneaky variants right in live scans, knocking user cleanup jobs down by a solid 40% and saving folks hours of headache.
Leave a Comment

AI Assistant

Hello! 👋 How can I help you today?