tl;dr
North Korea's Lazarus group has been linked to six new malicious npm packages discovered by The Socket Research Team. The attack aims to deploy backdoors to steal credentials and extract cryptocurrency data, targeting developers who may unknowingly install the packages. While definitive attribution ...
North Korea's Lazarus group has been linked to six new malicious npm packages discovered by The Socket Research Team. The attack aims to deploy backdoors to steal credentials and extract cryptocurrency data, targeting developers who may unknowingly install the packages. While definitive attribution to Lazarus remains challenging, the tactics closely align with the group's known operations. The six identified packages use typosquatting to deceive developers and have been collectively downloaded over 330 times. The Socket Team has petitioned for their removal.
This technique has been previously employed by Lazarus, including in the $1.4 billion Bybit exchange heist. About 20% of the stolen funds have become untraceable. In a new attack, North Korea's Lazarus group has been linked to six fresh malicious npm packages. Discovered by The Socket Research Team, the latest attack tries to deploy backdoors to steal credentials. Lazarus is the infamous North Korean hacker group that's been linked to the recent $1.4 billion Bybit hack, $41 million hack of crypto casino Stake, and a $27 million hack of crypto exchange CoinEx, and countless others in the crypto industry. The group was also initially linked to the $235 million hack of India crypto exchange WazirX in July 2024. But last month, the Delhi Police’s Intelligence Fusion and Strategic Operations (IFSO) division arrested a Bengal man and seized three laptops in connection with the exploit.
This new round of malware linked to Lazarus could also extract cryptocurrency data, stealing sensitive data from Solana and Exodus crypto wallets. The attack works by targeting files in Google Chrome, Brave and Firefox browsers, as well as keychain data on macOS, specifically targeting developers who might unknowingly install the packages.
"Attributing this attack definitively to Lazarus or a sophisticated copycat remains challenging, as absolute attribution is inherently difficult," wrote Kirill Boychenko, threat intelligence analyst at Socket Security, in a blog post. "However, the tactics, techniques, and procedures (TTPs) observed in this npm attack closely align with Lazarus’s known operations, extensively documented by researchers from Unit42, eSentire, DataDog, Phylum, and others since 2022."
The six packages that have been identified are: is-buffer-validator, yoojae-validator, event-handle-package, array-empty-validator, react-event-dependency, and auth-validator. These work by using typosquatting, with misspelled names, to trick developers into installing them. According to Boychenko: "The APT group created and maintained GitHub repositories for five of the malicious packages, lending an appearance of open source legitimacy and increasing the likelihood of the harmful code being integrated into developer workflows." The packages have been collectively downloaded over 330 times and, at time of publishing, The Socket Team has petitioned for their removal having reported the GitHub repositories and user accounts.
This type of technique has been used by Lazarus in the past, with a Bybit exchange heist valuing a loss of around $1.4 billion in Ethereum. About 20 percent of those stolen funds have become untraceable. In a statement, Bybit CEO, Ben Zhou, said: "77% are still traceable, 20% have gone dark, 3% have been frozen." Boychenko says: "The group’s tactics align with past campaigns leveraging multi-stage payloads to maintain long-term access, the cybersecurity experts note."