SANS ISC analyzes an obfuscated Node.js stealer uploaded as `extracted-decoded.js`, with a heavily obfuscated execution wrapper but plain-text embedded payload modules. The malware targets Windows through WSL, macOS, and Linux, stealing Chromium-family browser credentials, cryptocurrency wallet extension data, and sensitive files such as private keys, seed phrases, tokens, documents, configuration files, SSH keys, and source-code artifacts. Its modules exfiltrate browser and wallet data to `216.126.225.243:8085`, upload sensitive files to port 8086, and establish WebSocket reverse-shell capability on port 8087 after notifying `/api/notify` with host metadata. The report notes that `216.126.225.243` is a known DPRK OtterCookie C2, connecting the cross-platform NPM-style stealer to DPRK-linked developer and credential-theft activity.