# Lazarus Group Hack Crypto Developers: Creating Backdoors in NPM Repositories
The Lazarus Group, a notorious hacking collective from North Korea, has launched a new campaign targeting crypto developers through compromised NPM repositories. The group's malicious intentions are evident as they have created six repositories that mimic popular packages, luring unsuspecting crypto developers into installing them.
## A Mysterious Campaign
According to Kirill Boychenko, Senior Analyst at Socket, the tactics, techniques, and procedures (TTPs) used in this npm attack closely align with Lazarus's known operations. While attributing the attack directly to Lazarus is challenging due to the complexity of attribution, it is clear that this campaign shares similarities with their documented exploits.
## The Attack Vector
The malicious packages were designed to exploit typosquatting and similar spelling mistakes, tricking developers into installing them. This tactic has proven effective, as the malicious packages were downloaded over 300 times. Furthermore, the attackers created GitHub repositories for five of these malicious packages, lending an appearance of open source legitimacy and increasing the likelihood of the harmful code being integrated into developer workflows.
## The Malware: A Threat to System Security
The malware package used by Lazarus Group is a sophisticated tool that collects system information, including operating system, system directories, and hostname. This attack allows them to deploy their malicious payload to hundreds of NPM users. Moreover, the malware iterates through browser profiles to locate sensitive files such as login data from Chrome, Brave, and Firefox, as well as keychain archives on macOS.
## A Crypto-Specific Twist
The malware also targets cryptocurrency wallets, specifically extracting id.json from Solana and exodus.wallet from Exodus. This suggests that the attackers are not only interested in stealing credentials but also have a deeper understanding of the crypto space. By targeting these specific wallets, they can gain access to sensitive information and further their attacks.
## The Broader Strategy
This attack is part of Lazarus Group's broader strategy to disrupt supply chains. By embedding themselves inside systems, development environments, and crypto addresses, they can carry out more sophisticated attacks and remain undetected for longer periods. Similar methods have been used to target GitHub and Python's pip packages.
## The Threat: A New Kind of Security Risk
The Lazarus Group poses a significant threat to the global supply chain, particularly in the cryptocurrency space. As state actors with accumulated wealth, they may use their resources to fund nuclear weapons programs and ballistic missile enhancements. According to the United Nations 2024 report, North Korean hackers were responsible for 35% of cryptocurrency thefts, amounting to $1 billion in lost crypto.
## Mitigating the Threat
To counter this threat, developers must be vigilant and cautious when working with open-source projects. Continuous monitoring of unusual dependency changes can expose malicious updates, while sandboxing untrusted code in controlled environments and deploying endpoint protection can detect suspicious file system or network activities.
Ultimately, the Lazarus Group's attack highlights the need for increased awareness and vigilance among crypto developers and organizations. By staying informed and taking proactive measures to protect themselves, developers can reduce the risk of falling victim to this type of attack.