Full Report
Socket researchers said the malware-ridden packages were collectively downloaded over 330 times. GitHub removed all of the malicious packages Wednesday. The post Lazarus Group deceives developers with 6 new malicious npm packages appeared first on CyberScoop.
Analysis Summary
# Threat Actor: Lazarus Group
## Attribution & Identity
- **Attribution:** North Korea-linked threat group.
- **Aliases/Associations:** Explicitly linked to previous Lazarus tactics regarding malicious npm activities.
## Activity Summary
Lazarus Group recently planted six new malicious packages within the npm registry targeting software developers. These packages were designed to deceive developers and disrupt workflows. The malicious packages were collectively downloaded over 330 times before GitHub removed them. The group used typosquatting—mimicking trusted library names—to trick users. Furthermore, Lazarus created and maintained GitHub repositories for five of the packages to enhance their appearance of open-source legitimacy.
## Tactics, Techniques & Procedures
- **Code Injection:** Embedding `BeaverTail` malware into npm packages.
- **Typosquatting:** Using package names that closely mimic widely trusted libraries (e.g., resembling the legitimate `is-buffer` module).
- **Supply Chain Compromise:** Targeting the npm package manager used for JavaScript development.
- **Obfuscation:** Using self-invoking functions, dynamic function constructors, and array shifting to hide malicious functionality.
- **Persistence & Backdoors:** Utilizing `BeaverTail` malware for multi-stage payload delivery and establishing long-term access.
- **Deception:** Creating legitimate-looking GitHub repositories for the packages.
## Targeting
- **Sectors:** Software Development / Technology (Targeting developers using the npm registry).
- **Geography:** Not explicitly detailed, but targeting the global developer community using npm.
- **Victims:** Software developers integrating the compromised packages into their workflows.
## Tools & Infrastructure
- **Malware families used:** BeaverTail malware.
- **Infrastructure:**
- Malicious npm Packages:
- `is-buffer-validator`
- `yoojae-validator`
- `event-handle-package`
- `array-empty-validator`
- `react-event-dependency`
- `auth-validator`
- **Payload Objectives:** Stealing credentials and data from cryptocurrency wallets, specifically targeting `id.json` from Solana and `exodus.wallet` from Exodus.
## Implications
Lazarus continues to aggressively target the software supply chain (specifically JavaScript/npm ecosystems) to compromise sensitive developer environments and steal high-value cryptocurrency assets. Their methods are sophisticated, employing typosquatting and repository creation to maximize trust and integration likelihood.
## Mitigations
- Exercise extreme caution when installing dependencies from the npm registry, especially those resembling legitimate packages (use known safe dependencies or vet names carefully).
- Ensure thorough scanning of dependencies for known malicious code patterns, particularly those exhibiting obfuscated execution or unexpected network behavior upon installation.
- Review packages for the presence of post-installation scripts that execute system commands or attempt to access sensitive files like wallet data (`id.json`, `exodus.wallet`).