Lazarus Adds New Malicious npm Using Hexadecimal String Encoding to Evade Detection Systems

North Korean state-sponsored threat actors associated with the Lazarus Group have intensified their Contagious Interview campaign by deploying novel malicious npm packages leveraging hexadecimal string encoding to bypass detection mechanisms.

These packages deliver BeaverTail infostealers and remote access trojan (RAT) loaders, targeting developers to exfiltrate credentials, financial data, and cryptocurrency wallets.

SecurityScorecard researchers identified 11 new packages with over 5,600 cumulative downloads, linking infrastructure and tactics to known Lazarus operations.

Campaign Expansion Through Multi-Platform Repositories

The threat actors created npm accounts taras_lakhai, mvitalii, wishorn, and crouch626 to disseminate malicious packages like twitterapis and dev-debugger-vite.

These packages masqueraded as utilities for API handling, logging, and debugging while establishing connections to command-and-control (C2) servers at 45.61.151[.]71:1224 and 185.153.182[.]241:1224[1].

Shared infrastructure between accounts, such as the use of identical IP-port combinations, confirms coordinated Lazarus activity.

Notably, the group expanded its repository footprint to Bitbucket, hosting malicious code in projects like icloud-cod and events-utils.

These repositories, often uploaded days before associated npm packages, simulated legitimate maintenance activity to lure developers.

One repository under the directory eiwork_hire hinted at fake job offers a hallmark of the Contagious Interview operation’s social engineering tactics.

The latest packages employ a hexadecimal string decoding function to conceal critical components like module imports and C2 URLs.

For example, the cln-logger package used:
javascript function g(h) { return h.replace(/../g, match => String.fromCharCode(parseInt(match, 16))); }

This decodes hex-encoded strings such as 72657175697265 into require, enabling dynamic loading of malicious modules.

Similarly, URLs like mocki[.]io/v1/32f16c80-602a-4c80-80af-32a9b8220a6b were hidden behind hex strings to evade static analysis.

Variants like node-clog and snore-log rotated endpoints (m21gk[.]wiremockapi[.]cloud, ip-api-server[.]vercel[.]app) while retaining core loader functionality.

According to the Report, this redundancy ensures payload delivery even if individual domains are blocked.

Payloads Targeting Cryptocurrency and Credentials

The malware scans for Solana wallet IDs (id.json) and extracts credentials from Brave, Chrome, and Opera browsers.

BeaverTail exfiltrates data via HTTP POST requests to Lazarus-controlled servers, while InvisibleFerret backdoors provide persistent access.

macOS systems are further compromised via keychain theft, demonstrating cross-platform capabilities.

Indicators of Compromise (IOCs)

Malicious Packages: empty-array-validator (129 downloads), twitterapis (102), dev-debugger-vite (1,606), snore-log (1,904), core-pino (483).
Threat Actor Accounts: npm aliases taras_lakhai (kevintracy516@gmail[.]com), mvitalii (mvitalii206@gmail[.]com); GitHub repositories lukobogdan47/empty-array-validator.
C2 Infrastructure: 144.172.87[.]27:1224, 45.61.151[.]71:1224, ip-check-api[.]vercel[.]app/api/ipcheck/703.
MITRE Techniques: T1195.002 (Supply Chain Compromise), T1027.013 (Hex Encoding), T1555.003 (Browser Credential Theft).

Organizations should implement dependency auditing tools like Socket, which detects suspicious package behaviors during installation.

Blocking traffic to known Lazarus endpoints and restricting unverified third-party modules can curtail infiltration.

Developers must scrutinize repositories linked to npm packages, especially those with limited maintenance history or abrupt updates.

Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates!