Red Asgard identifies OtterCookie as a separate JavaScript and Node.js RAT operating alongside BeaverTail and InvisibleFerret in Lazarus-linked Contagious Interview activity. Unlike BeaverTail’s stored-data theft model, OtterCookie uses Socket.IO over Engine.IO v4 to maintain live victim sessions, broadcast connected developer workstations on a timer, and support continuous surveillance. The collection profile includes clipboard monitoring, keystrokes, screenshots, browser secrets, wallet artifacts, `.env` files, SSH material, cloud credentials, and source-control tokens from active developer machines. The report also notes npm and Vercel delivery, public reporting of roughly 197 malicious packages, and campaign batch identifiers that should not be mistaken for hardware fingerprints.