The Socket research team has detected a new wave of attacks by the North Korean hacker group Lazarus. In this campaign, attackers have deployed six malicious npm packages designed to compromise development environments, steal credentials, and exfiltrate cryptocurrency assets.
Researchers identified that these npm packages contain the BeaverTail malware, previously associated with Lazarus Group.
Trusted Library Spoofing and Attack Strategy
Reports indicate that the malicious npm packages used typosquatting — a technique where attackers create similarly named libraries to mislead developers into downloading compromised versions. The identified packages include:
- is-buffer-validator — 52 downloads, published by "edan0831" on npm, linked to a GitHub account.
- yoojae-validator — 55 downloads, uploaded by "hottblaze," with a related GitHub repository.
- event-handle-package — 54 downloads, published by "ricardoalexis07," without an associated GitHub repository.
- array-empty-validator — 59 downloads, authored by "alextucker0519," hosted on GitHub.
- react-event-dependency — 57 downloads, uploaded by "elondavid," with a linked GitHub repository.
- auth-validator — 54 downloads, uploaded by "kevin_tr." The GitHub repository has been deleted, but was associated with the "kevin-tra" account.
Researchers at Socket emphasized that each package mimicked well-known and trusted npm libraries. For example, is-buffer-validator closely resembles the legitimate is-buffer package, which has been maintained for over a decade.
How the Malware Works
Socket’s experts found that the malicious npm packages used advanced obfuscation techniques, including self-executing functions and dynamic constructors. The goal was to hide the malware’s true functionality while maintaining long-term persistence in compromised systems.
The malware performs the following actions:
- Collects system environment information (host name, OS details, system directories).
- Extracts browser data from Chrome, Brave, and Firefox.
- Steals confidential data, including id.json files from Solana wallets and exodus.wallet files from Exodus wallets.
- Exports stolen data to a Lazarus-controlled command and control (C2) server at hxxp://172.86.84[.]38:1224/uploads.
Additionally, a second-stage payload was identified — a malicious component named "InvisibleFerret", designed for further system compromise. This element was delivered as p.zip or p2.zip, unpacked using tar -xf, and executed to maintain persistence on the infected system.
Threat Analysis and Potential Consequences
Socket researchers emphasized that Lazarus' attack methods align with previous documented operations. The malicious npm packages specifically target development environments, posing risks such as:
- Data breaches affecting developers and crypto users.
- Theft of digital assets, particularly cryptocurrency stored in Solana and Exodus wallets.
- Supply chain compromises, where infected libraries could propagate through multiple projects, endangering thousands of users.
The researchers also noted that Lazarus increasingly exploits software supply chains, embedding malicious dependencies into commonly used open-source projects. If these packages were integrated into live applications, end-users would be at risk of security breaches.
Security Recommendations
To mitigate risks, Socket urges developers and organizations to take the following precautions:
- Audit dependencies before installation to detect potential vulnerabilities.
- Use automated monitoring tools to track suspicious package updates.
- Verify dependency changes, especially for lesser-known libraries.
- Restrict network access to suspicious nodes and command-and-control servers (C2).
- Check package signatures and origins before integrating them into projects.
- Leverage tools like Socket AI Scanner to identify malware in npm libraries proactively.
The Socket team has reported the malicious npm packages and associated GitHub accounts to npm and GitHub, urging their immediate removal. Meanwhile, researchers continue to monitor Lazarus' activities and anticipate further attacks targeting the software supply chain.
Full Socket security report is available via link.
Read also:
- Bybit Recovers $1.4B Loss; FBI Tracks Lazarus Leader
- North Korean Hackers Stole $6.6 Billion in 2024; South Korea, US, and Japan Move to Counter
- Hyperliquid Funds Outflow Hits $256M Amid Rumors of Lazarus Group Threat
This post is for informational purposes only and is not an ad or investment advice. Please do your own research making any decisions.