Cyber Security News

Lazarus Hackers Exploit 6 NPM Packages to Steal Login Credentials

North Korea’s Lazarus Group has launched a new wave of attacks targeting the npm ecosystem, compromising six packages designed to steal login credentials and deploy backdoors.

The malicious packages is-buffer-validator, yoojae-validator, event-handle-package, array-empty-validator, react-event-dependency, and auth-validator have collectively been downloaded over 330 times.

These packages mimic the names of widely trusted libraries, employing a typosquatting tactic to deceive developers into integrating them into their workflows.

The Lazarus Group’s tactics closely align with their previous operations, including the use of identical obfuscation techniques and cross-platform targeting of Windows, macOS, and Linux systems.

The malware embedded in these packages is designed to collect system environment details, extract sensitive browser data, and target cryptocurrency wallets.

It systematically iterates through browser profiles to locate and extract sensitive files such as login data from Chrome, Brave, and Firefox, as well as keychain archives on macOS.

According to Socket Report, the stolen data is then exfiltrated to a hardcoded command and control (C2) server.

Technical Analysis and Attribution

The code within these malicious packages demonstrates sophisticated obfuscation techniques, including self-invoking functions and dynamic function constructors, to obscure its true functionality.

Despite these layers of concealment, the malware’s objectives align with previously documented Lazarus operations, which have consistently leveraged multi-stage payload delivery and persistence mechanisms to maintain long-term access to compromised systems.

The deployment of BeaverTail malware along with the InvisibleFerret backdoor further reinforces the likelihood of Lazarus’s involvement.

Attributing this attack definitively to Lazarus or a sophisticated copycat remains challenging due to the inherent difficulties in absolute attribution.

However, the tactics, techniques, and procedures (TTPs) observed in this npm attack closely mirror those of Lazarus’s known operations, extensively documented by researchers since 2022.

Mitigation and Recommendations

To mitigate these threats, organizations should implement a multi-layered approach to detection and defense.

Automated dependency auditing and code reviews can help identify anomalies in third-party packages, particularly those with low download counts or from unverified sources.

Continuous monitoring of unusual dependency changes can expose malicious updates, while blocking outbound connections to known C2 endpoints prevents data exfiltration.

Educating development teams on common typosquatting tactics promotes vigilance and reinforces proper vetting before installing new packages.

Are you from SOC/DFIR Teams? – Analyse Malware Incidents & get live Access with ANY.RUN -> Start Now for Free.

Aman Mishra

Aman Mishra is a Security and privacy Reporter covering various data breach, cyber crime, malware, & vulnerability.

Recent Posts

Zero-Trust Policy Bypass Enables Exploitation of Vulnerabilities and Manipulation of NHI Secrets

A new project has exposed a critical attack vector that exploits protocol vulnerabilities to disrupt…

1 day ago

Threat Actor Sells Burger King Backup System RCE Vulnerability for $4,000

A threat actor known as #LongNight has reportedly put up for sale remote code execution…

1 day ago

Chinese Nexus Hackers Exploit Ivanti Endpoint Manager Mobile Vulnerability

Ivanti disclosed two critical vulnerabilities, identified as CVE-2025-4427 and CVE-2025-4428, affecting Ivanti Endpoint Manager Mobile…

1 day ago

Hackers Target macOS Users with Fake Ledger Apps to Deploy Malware

Hackers are increasingly targeting macOS users with malicious clones of Ledger Live, the popular application…

1 day ago

EU Targets Stark Industries in Cyberattack Sanctions Crackdown

The European Union has escalated its response to Russia’s ongoing campaign of hybrid threats, announcing…

2 days ago

Venice.ai’s Unrestricted Access Sparks Concerns Over AI-Driven Cyber Threats

Venice.ai has rapidly emerged as a disruptive force in the AI landscape, positioning itself as…

2 days ago