Full Report
Socket researchers said the malware-ridden packages were collectively downloaded over 330 times. GitHub removed all of the malicious packages Wednesday. The post Lazarus Group deceives developers with 6 new malicious npm packages appeared first on CyberScoop.
Analysis Summary
# Threat Actor: Lazarus Group
## Attribution & Identity
Attributed to North Korea-linked threat group Lazarus Group. Associated with previous malicious activities on the npm registry.
## Activity Summary
The group recently planted six new malicious packages in the npm registry targeting software developers. These packages were collectively downloaded over 330 times before being removed by GitHub. The activity involved typosquatting trusted library names to deceive developers. They also created and maintained GitHub repositories for five of the packages to appear legitimate.
## Tactics, Techniques & Procedures
- **Supply Chain Compromise:** Embedding malware within legitimate-looking software packages published to the npm registry.
- **Typosquatting:** Mimicking the names of widely trusted libraries (e.g., a malicious package resembling the legitimate `is-buffer` module).
- **Obfuscation:** Using self-invoking functions, dynamic function constructors, and array shifting to hide malicious functionality.
- **Payload Delivery:** Utilizing the embedded malware (BeaverTail) for multi-stage payload delivery and establishing persistence.
- **Persistence:** Establishing long-term access mechanisms.
## Targeting
- Sectors: Software Developers/Software Supply Chain (Targeting the JavaScript programming language ecosystem via npm).
- Geography: Not explicitly detailed, but the targets are developers using the npm registry.
- Victims: Software developers integrating the malicious packages into their workflows. Specific organizations were not named.
## Tools & Infrastructure
- **Malware Families Used:** BeaverTail malware (used to install backdoors, steal credentials, and steal data from cryptocurrency wallets).
- **Infrastructure:** Malicious npm packages published under names like `is-buffer-validator`, `yoojae-validator`, `event-handle-package`, `array-empty-validator`, `react-event-dependency`, and `auth-validator`.
- **C2/Exfiltration:** The malware collects system environment details and sensitive files (including Solana's `id.json` and Exodus wallet file `exodus.wallet`) and uploads them to a hardcoded location (details truncated in summary source).
## Implications
Lazarus Group continues to aggressively target the software supply chain, specifically using package repositories like npm to gain initial access. Their objective likely includes financial gain (targeting crypto wallets) and establishing long-term backdoors within development environments. Their awareness of security research (by naming packages to mimic previously analyzed ones) suggests adaptive tactics.
## Mitigations
- Developers should exercise extreme caution when installing new npm packages, verifying authorship, download counts, and code behavior.
- Organizations should scrutinize dependencies, especially those using typosquatted names.
- Implement strict network monitoring to detect communications related to multi-stage payload delivery or exfiltration targeting wallet files and system credentials.
- Maintain rigorous supply chain security practices, inspecting code from untrusted third-party repositories.