North Korean Lazarus Hackers Infect Hundreds via npm Packages

A recent discovery by the Socket Research Team has shed light on a malicious campaign involving six North Korean Lazarus Group packages, which have been downloaded over 330 times from the Node package manager (npm). The packages are designed to steal account credentials, deploy backdoors on compromised systems, and extract sensitive cryptocurrency information.

The Lazarus Group is notorious for pushing malicious packages into software registries like npm, compromising systems passively. Similar campaigns attributed to the same threat actors have been spotted on GitHub and the Python Package Index (PyPI). This tactic often allows them to gain initial access to valuable networks.

A Typo-Squatting Scheme

The six Lazarus packages discovered in npm all employ typosquatting tactics to trick developers into accidental installations. The packages contain malicious code designed to steal sensitive information, such as cryptocurrency wallets and browser data that contains stored passwords, cookies, and browsing history.

The malware also loads the BeaverTail malware and the InvisibleFerret backdoor, which North Koreans previously deployed in fake job offers that led to the installation of malware. The code is designed to collect system environment details, including the hostname, operating system, and system directories.

Targets and Tactic

The malicious packages systematically iterate through browser profiles to locate and extract sensitive files such as Login Data from Chrome, Brave, and Firefox, as well as keychain archives on macOS. Notably, the malware also targets cryptocurrency wallets, specifically extracting id.json from Solana and exodus.wallet from Exodus.

A Threat Still Active

Unfortunately, all six Lazarus packages are still available on npm and GitHub repositories, making the threat still active. Software developers are advised to double-check the packages they use for their projects and constantly scrutinize code in open-source software to find suspicious signs like obfuscated code and calls to external servers.

Consequences of Inaction

If left unchecked, these malicious packages could lead to widespread exploitation of systems and sensitive information. Developers must remain vigilant and take immediate action to identify and remove any potentially compromised dependencies in their projects.

The Importance of Cybersecurity Awareness

As the Lazarus Group continues to evolve its tactics, it is essential for developers, organizations, and individuals to stay informed about emerging threats. By being proactive and taking steps to protect themselves, we can mitigate the impact of such attacks and ensure a safer online environment.

Staying Safe in the Digital World

To defend against these types of attacks, it's crucial to regularly review and update dependencies, use reputable software sources, and implement robust security measures such as encryption and secure communication protocols. By doing so, we can safeguard our digital assets and prevent potential breaches.