Full Report
Six malicious packages have been identified on npm (Node package manager) linked to the notorious North Korean hacking group Lazarus. [...]
Analysis Summary
# Threat Actor: Lazarus Group
## Attribution & Identity
The threat actor is identified as North Korean Lazarus Group.
Known aliases and associations: They have previously deployed the BeaverTail malware and the InvisibleFerret backdoor, which were also seen in operations involving fake job offers.
## Activity Summary
Lazarus hackers infected hundreds of targets using malicious packages published to the npm repository. They published six fake packages masquerading as legitimate development tools to compromise software developers and steal sensitive information.
## Tactics, Techniques & Procedures
- Supply Chain Compromise via malicious npm packages.
- Code execution upon package installation/use.
- Data exfiltration of sensitive files, browser profiles, and cryptocurrency wallet data.
- System information harvesting (hostname, OS, system directories).
- Iterating through browser profiles (Chrome, Brave, Firefox) to locate and extract sensitive files (e.g., Login Data).
- Targeting specific cryptocurrency wallet files (Solana `id.json`, Exodus `exodus.wallet`).
- Deployment of BeaverTail malware and InvisibleFerret backdoor.
## Targeting
- Sectors: Software Developers/Development Environments (due to the use of npm packages).
- Geography: Not explicitly mentioned for victims, but the campaigns are global due to the nature of the npm registry.
- Victims: Hundreds of developers who installed the malicious packages.
## Tools & Infrastructure
- Malware families used: BeaverTail malware, InvisibleFerret backdoor.
- Malicious npm Packages:
1. `is-buffer` (a fake version targeting the legitimate `is-buffer` library)
2. `yoojae-validator`
3. `event-handle-package`
4. `array-empty-validator`
5. `react-event-dependency`
6. `auth-validator`
- Infrastructure: The article notes code attempts to make calls to external servers for payload delivery and data exfiltration, but specific C2 domains or IPs are not listed. All six malicious packages were still available on npm and GitHub at the time of reporting.
## Implications
Lazarus continues to aggressively target the software supply chain, specifically developer environments, to achieve initial access and significant data theft, including high-value cryptocurrency credentials. The availability of these packages months after discovery indicates a sustained and ongoing risk environment for the development community.
## Mitigations
- Software developers must rigorously double-check third-party packages used in projects.
- Constantly scrutinize the code in open-source software dependencies for suspicious indicators, such as obfuscated code or calls to external servers.
- Maintain vigilance regarding package names that mimic popular or legitimate libraries (typosquatting/dependency confusion).