Lazarus Group Drop Malicious NPM Packages in Developers Systems Remotely

In a recent discovery by Socket researchers, a malicious npm package named postcss-optimizer has been identified as an operation spearheaded by the North Korean state-sponsored group, Lazarus Advanced Persistent Threat (APT).

Tied to past campaigns and employing code-level similarities, the package is linked to the Contagious Interview subgroup of Lazarus, infamously targeting software developers through sophisticated malware delivery mechanisms.

The malicious package, masquerading as the legitimate and highly popular postcss library (with over 16 billion downloads), has been maliciously downloaded 477 times.

Once installed, it deploys BeaverTail malware, which serves dual purposes as an infostealer and a malware loader.

Its second-stage payload is suspected to be InvisibleFerret, a potent backdoor that aligns with Lazarus’ software supply chain exploitation tactics.

As of today, the package remains available in the npm repository, though Socket has requested its removal.

Sophisticated Techniques Exploit Supply Chains

The “postcss-optimizer” package mimics the original postcss library with a deceptive npm registry user alias named “yolorabbit.”

Researchers from Unit 42 previously uncovered similar attacks in 2022, where the group used staged interview processes to lure developers into downloading malicious npm packages.

Upon installation, these packages execute staged malware attacks, beginning with reconnaissance and persistence establishment and eventually exfiltrating data or deploying secondary payloads.

The BeaverTail malware associated with this campaign employs obfuscation techniques, such as variable renaming and control flow flattening, to evade static analysis.

Once activated, the malware targets systems across Windows, macOS, and Linux.

It collects sensitive data, including credentials, browser cookies, and cryptocurrency wallet files, sending them to a hardcoded command-and-control (C2) server.

Additionally, BeaverTail facilitates long-term persistence through registry key manipulation or startup script injections, regularly fetching and executing additional payloads.

Financial Targeting

A detailed analysis of the malware revealed its focus on data theft, particularly targeting cryptocurrency wallets and financial credentials.

The malware scans for browser extensions associated with wallets like MetaMask and Phantom while also exfiltrating Solana wallet keys and macOS login keychain data.

It systematically searches user directories for locally stored credentials and transmits the stolen data to its C2 infrastructure using HTTP POST requests.

The code also includes a fallback mechanism to download additional payloads using alternate methods like cURL, ensuring resilience against network restrictions.

These capabilities align with Lazarus’ preference for financial theft coupled with broader espionage goals.

This incident underlines the persistent threat posed by APT groups exploiting open-source ecosystems for malware distribution.

Organizations must adopt robust measures to secure their software supply chains.

Proactive techniques such as automated dependency audits, behavior-based analysis tools, and real-time monitoring for suspicious npm packages can help mitigate risks.

Tools like the Socket GitHub integration and CLI add layers of defense by flagging anomalies in open-source packages before deployment.

The postcss-optimizer campaign serves as a stark reminder of how malicious actors exploit developer trust and open-source tools to infiltrate systems.

Vigilance, combined with advanced security tooling, remains critical to countering such sophisticated software supply chain threats.

Are you from SOC/DFIR Teams? – Analyse Malware Files & Links with ANY.RUN Sandox -> Try for Free