A new Lazarus campaign is spreading through npm packages, using BeaverTail malware to steal credentials, exfiltrate cryptocurrency data, and deploy a persistent backdoor.
North Korea‘s Lazarus Group has planted six malicious packages in npm, targeting developers and cryptocurrency users, a new research done the Socket Research Team reveals.
According to their findings, the malicious these packages, downloaded over 300 times, are designed to steal login credentials, deploy backdoors, and extract sensitive data from Solana-related cryptocurrency wallets or Exodus. The malware specifically targets browser profiles, scanning files from Chrome, Brave, and Firefox, as well as keychain data on macOS.
The identified packages — is-buffer-validator, yoojae-validator, event-handle-package, array-empty-validator, react-event-dependency, and auth-validator — use typosquatting, tricking developers with misspelled names into installing them.
“The stolen data is then exfiltrated to a hardcoded C2 server at hxxp://172.86.84[.]38:1224/uploads, following Lazarus’s well-documented strategy of harvesting and transmitting compromised information.”
Kirill Boychenko, threat intelligence analyst at Socket Security
Lazarus has previously used supply chain attacks through npm, GitHub, and PyPI to infiltrate networks, contributing to major hacks like the $1.5 billion Bybit exchange heist. The group’s tactics align with past campaigns leveraging multi-stage payloads to maintain long-term access, the cybersecurity experts note.
In late February, North Korean hackers targeted Bybit, one of the largest cryptocurrency exchanges, stealing around $1.46 billion worth of crypto in a highly sophisticated heist. The attack was reportedly carried out by compromising the computer of an employee at Safe, Bybit’s technology provider. Less than two weeks after the breach, Bybit’s CEO Ben Zhou stated that around 20% of the stolen funds had become untraceable, due to the hackers’ use of mixing services.
