The North Korean Lazarus Group, which recently stole $1.5 billion from the crypto exchange Bybit, is targeting developers via npm, a library and registry of JavaScript.
The hackers use six malicious packages designed to compromise developer environments, steal credentials, extract cryptocurrency data, and deploy a backdoor, Socket claims in its latest research.
The packages, which have already been downloaded over 300 times, closely mimic legitimate and widely trusted libraries, employing well-known typosquatting tactics.
For example, the is-buffer-validator resembles the is-buffer module, making it easy for developers to mistakenly download malicious files.
When examining malicious packages hosted on GitHub, the researchers found many similarities with previous Lazarus campaigns.
Among them are obfuscation techniques and tooling, command and control mechanisms that follow the same pattern, and deploying the BeaverTail infostealer.
According to Socket, the code deployed in npm libraries is designed to collect system environment details, including the hostname, operating system, and system directories.
North Korean Lazarus hackers infect hundreds via npm packages.https://t.co/AYvcSial8h pic.twitter.com/LraHlQEGcR
undefined Cyber Advising (@cyber_advising) March 12, 2025
“It systematically iterates through browser profiles to locate and extract sensitive files such as Login Data from Chrome, Brave, and Firefox, as well as keychain archives on macOS. Notably, the malware also targets cryptocurrency wallets, specifically extracting id.json from Solana and exodus.wallet from Exodus,” Socket’s report reads.
The researchers found a script that downloads additional malicious components, such as the InvisibleFerret backdoor.
The script’s objectives go beyond credential theft, Socket notes. It seeks to embed itself within development workflows and ensure continued compromise, even if one stage is detected and removed.
To avoid being infected with this or similar malware, organizations should implement a multi-layered approach to detection and defense, review code, and use automated dependency auditing.
“Continuous monitoring of unusual dependency changes can expose malicious updates while blocking outbound connections to known C2 endpoints prevents data exfiltration. Sandboxing untrusted code in controlled environments and deploying endpoint protection can detect suspicious file system or network activities,” Socket’s researchers advise.
Your email address will not be published. Required fields are markedmarked