North Korea’s Lazarus Group has launched a new wave of attacks targeting the npm ecosystem, compromising six packages designed to steal login credentials and deploy backdoors.
The malicious packages is-buffer-validator, yoojae-validator, event-handle-package, array-empty-validator, react-event-dependency, and auth-validator have collectively been downloaded over 330 times.
These packages mimic the names of widely trusted libraries, employing a typosquatting tactic to deceive developers into integrating them into their workflows.
The Lazarus Group’s tactics closely align with their previous operations, including the use of identical obfuscation techniques and cross-platform targeting of Windows, macOS, and Linux systems.
The malware embedded in these packages is designed to collect system environment details, extract sensitive browser data, and target cryptocurrency wallets.
It systematically iterates through browser profiles to locate and extract sensitive files such as login data from Chrome, Brave, and Firefox, as well as keychain archives on macOS.
According to Socket Report, the stolen data is then exfiltrated to a hardcoded command and control (C2) server.
The code within these malicious packages demonstrates sophisticated obfuscation techniques, including self-invoking functions and dynamic function constructors, to obscure its true functionality.
Despite these layers of concealment, the malware’s objectives align with previously documented Lazarus operations, which have consistently leveraged multi-stage payload delivery and persistence mechanisms to maintain long-term access to compromised systems.
The deployment of BeaverTail malware along with the InvisibleFerret backdoor further reinforces the likelihood of Lazarus’s involvement.
Attributing this attack definitively to Lazarus or a sophisticated copycat remains challenging due to the inherent difficulties in absolute attribution.
However, the tactics, techniques, and procedures (TTPs) observed in this npm attack closely mirror those of Lazarus’s known operations, extensively documented by researchers since 2022.
To mitigate these threats, organizations should implement a multi-layered approach to detection and defense.
Automated dependency auditing and code reviews can help identify anomalies in third-party packages, particularly those with low download counts or from unverified sources.
Continuous monitoring of unusual dependency changes can expose malicious updates, while blocking outbound connections to known C2 endpoints prevents data exfiltration.
Educating development teams on common typosquatting tactics promotes vigilance and reinforces proper vetting before installing new packages.
Are you from SOC/DFIR Teams? – Analyse Malware Incidents & get live Access with ANY.RUN -> Start Now for Free.
A new project has exposed a critical attack vector that exploits protocol vulnerabilities to disrupt…
A threat actor known as #LongNight has reportedly put up for sale remote code execution…
Ivanti disclosed two critical vulnerabilities, identified as CVE-2025-4427 and CVE-2025-4428, affecting Ivanti Endpoint Manager Mobile…
Hackers are increasingly targeting macOS users with malicious clones of Ledger Live, the popular application…
The European Union has escalated its response to Russia’s ongoing campaign of hybrid threats, announcing…
Venice.ai has rapidly emerged as a disruptive force in the AI landscape, positioning itself as…