North Korean threat actors are targeting AI coding tools. Not theoretically. Right now. A trojanized npm campaign called OtterCookie is explicitly scanning for .cursor , .claude , .gemini , .windsurf , and .pearai directories on developer machines. The goal: steal your API keys, conversations with LLMs, and source code. This is not a hypothetical threat model. This is active malware with nation-state backing. What happened The Contagious Interview campaign, attributed to DPRK threat actors (Lazarus Group), published 197 malicious npm packages. Over 31,000 downloads. Package names designed to look legitimate: gemini-ai-checker , express-flowlimit , chai-extensions-extras , and others mimicking popular libraries. The delivery mechanism: fake job interviews and coding test assignments. A developer gets a "take-home project" that requires npm install . One of the dependencies is backdoored.…