A fresh campaign from the Lazarus Group is circulating through npm packages, utilizing BeaverTail malware to capture credentials, extract cryptocurrency information, and install a lasting backdoor.
The Lazarus Group from North Korea has introduced six malicious packages within npm, specifically aimed at developers and cryptocurrency enthusiasts, as highlighted by recent research from the Socket Research Team.
Their investigation indicates that these harmful packages, which have been downloaded over 300 times, are crafted to gather login credentials, set up backdoors, and siphon off sensitive data from cryptocurrency wallets related to Solana or Exodus. The malware primarily focuses on browser profiles, scanning files from Chrome, Brave, and Firefox and accessing keychain information on macOS.
The identified packages — is-buffer-validator, yoojae-validator, event-handle-package, array-empty-validator, react-event-dependency, and auth-validator — employ typosquatting techniques, misleading developers with misspelled names to entice them into installing these malicious packages.
“The exfiltrated data is then sent to a hardcoded command and control server at hxxp://172.86.84[.]38:1224/uploads, following Lazarus’s established strategy of collecting and transmitting compromised information.”
Kirill Boychenko, threat intelligence analyst
Lazarus has a history of executing supply chain attacks via npm, GitHub, and PyPI to breach networks, which has played a part in significant hacks, such as the $1.5 billion theft from Bybit. Experts in cybersecurity note that the group’s methodologies are consistent with earlier operations that employ multi-stage payloads to ensure prolonged access.
In late February, North Korean hackers successfully targeted Bybit, one of the largest cryptocurrency exchanges, stealing approximately $1.46 billion in a highly sophisticated operation. The breach was allegedly facilitated by compromising a computer belonging to an employee of Safe, Bybit’s technology supplier. Less than two weeks post-breach, Bybit’s CEO Ben Zhou reported that around 20% of the stolen assets had become untraceable, largely due to the hackers’ employment of mixing services.