Lazarus Hackers Exploit 6 NPM Packages to Steal Login Credentials

North Korea’s Lazarus Group has launched a new wave of attacks targeting the npm ecosystem, compromising six packages designed to steal login credentials and deploy backdoors.

The malicious packages is-buffer-validator, yoojae-validator, event-handle-package, array-empty-validator, react-event-dependency, and auth-validator have collectively been downloaded over 330 times.

These packages mimic the names of widely trusted libraries, employing a typosquatting tactic to deceive developers into integrating them into their workflows.

The Lazarus Group’s tactics closely align with their previous operations, including the use of identical obfuscation techniques and cross-platform targeting of Windows, macOS, and Linux systems.

The malware embedded in these packages is designed to collect system environment details, extract sensitive browser data, and target cryptocurrency wallets.

It systematically iterates through browser profiles to locate and extract sensitive files such as login data from Chrome, Brave, and Firefox, as well as keychain archives on macOS.

According to Socket Report, the stolen data is then exfiltrated to a hardcoded command and control (C2) server.

Technical Analysis and Attribution

The code within these malicious packages demonstrates sophisticated obfuscation techniques, including self-invoking functions and dynamic function constructors, to obscure its true functionality.

Despite these layers of concealment, the malware’s objectives align with previously documented Lazarus operations, which have consistently leveraged multi-stage payload delivery and persistence mechanisms to maintain long-term access to compromised systems.

The deployment of BeaverTail malware along with the InvisibleFerret backdoor further reinforces the likelihood of Lazarus’s involvement.

Attributing this attack definitively to Lazarus or a sophisticated copycat remains challenging due to the inherent difficulties in absolute attribution.

However, the tactics, techniques, and procedures (TTPs) observed in this npm attack closely mirror those of Lazarus’s known operations, extensively documented by researchers since 2022.

Mitigation and Recommendations

To mitigate these threats, organizations should implement a multi-layered approach to detection and defense.

Automated dependency auditing and code reviews can help identify anomalies in third-party packages, particularly those with low download counts or from unverified sources.

Continuous monitoring of unusual dependency changes can expose malicious updates, while blocking outbound connections to known C2 endpoints prevents data exfiltration.

Educating development teams on common typosquatting tactics promotes vigilance and reinforces proper vetting before installing new packages.

Are you from SOC/DFIR Teams? – Analyse Malware Incidents & get live Access with ANY.RUN -> Start Now for Free.