Skip to content

Lazarus Group targets npm ecosystem with 6 malicious packages

  • by
  • 2 min read

North Korea’s Lazarus Group has launched another infiltration into the npm ecosystem, deploying six new malicious packages — is-buffer-validator, yoojae-validator, event-handle-package, array-empty-validator, react-event-dependency, and auth-validator — aimed at compromising developer environments, stealing credentials, and extracting cryptocurrency.

These packages, collectively downloaded over 330 times, were also linked to GitHub repositories maintained by the attackers to lend credibility to their harmful code. The threat actors behind this campaign followed a well-established pattern of deception, leveraging social engineering and open-source legitimacy to increase their reach within the developer community.

The malicious code embedded within these packages employs advanced obfuscation techniques, including self-invoking functions, dynamic function constructors, and array shifting to conceal its true functionality.

“Additionally, the APT group created and maintained GitHub repositories for five of the malicious packages, lending an appearance of open source legitimacy and increasing the likelihood of the harmful code being integrated into developer workflows,” researchers explained.

This is an image of lazarusgroup npm socket ss1
The malicious samples. | Source: Socket

Despite these efforts, the malware’s primary objectives align with Lazarus’ previous operations:

  • Collecting system environment details (hostname, OS, system directories).
  • Extracting sensitive files from browsers, including Chrome, Brave, and Firefox login credentials.
  • Targeting cryptocurrency wallets, specifically Solana and Exodus.
  • Exfiltrating stolen data to a hardcoded C2 server.

“Through these stages, Lazarus consistently prioritises persistence and stealth. The script’s objectives go beyond credential theft, seeking to embed itself within development workflows and ensuring continued compromise, even if one stage is detected and removed,” researchers said. “By creating or repurposing GitHub repositories for the malicious packages, the threat actor further obscures its activities, making the operation appear as part of legitimate open source development.”

Additionally, the script downloads secondary payloads, including the InvisibleFerret backdoor, using curl commands and the Node.js request module. The payload is retrieved under filenames p.zi or p2.zip and extracted using tar -xf, consistent with Lazarus’ multi-stage deployment strategy.

Researchers urge organisations to automate dependency auditing, deploy continuous monitoring, block outbound connections, and sandbox untrusted code.

In the News: Four bugs expose critical flaws in Microsoft’s TTD

Kumar Hemant

Kumar Hemant

Deputy Editor at Candid.Technology. Hemant writes at the intersection of tech and culture and has a keen interest in science, social issues and international relations. You can contact him here: kumarhemant@pm.me

Related Reads

This is an image of microsoft 39898989898

Four bugs expose critical flaws in Microsoft’s TTD

Photo by morrowind/shutterstock. Com

Fake Trump cryptocurrency Binance email scam installs ConnectWise RAT

This is an image of fraud scam featured

JioHotstar, LV, Warner Bros, and others fight copycat websites surge

This is an image of foxconn shenzhen

Foxconn unveils FoxBrain, its in-house LLM for manufacturing

  • by
  • AI, In News
This is an image of digtialarrest featured pixabay ss1

Delhi Police arrests four in Rs 44.50 lakh digital arrest scam

This is an image of cyber security internet security featured

SideWinder targets logistics, nuclear sectors in Asian and African countries

>