Security researchers have identified six malicious npm packages linked to the North Korean hacking group Lazarus, designed to steal credentials, deploy backdoors, and extract cryptocurrency data.
The compromised packages, downloaded 330 times, were uncovered by the Socket Research Team, which connected them to previous Lazarus supply chain attacks.
Lazarus is known for injecting malicious packages into widely used software registries like npm, GitHub, and PyPI, allowing them to gain initial access to networks and launch large-scale attacks. This method has been used in past incidents, including the $1.5 billion Bybit crypto heist.
The six npm packages use typosquatting to trick developers into installing them, disguising themselves as legitimate libraries such as is-buffer-validator, auth-validator, and react-event-dependency.
The malware embedded in these packages steals stored passwords, cookies, browsing history, and cryptocurrency wallets, specifically targeting Solana and Exodus wallets. It also deploys BeaverTail malware and the InvisibleFerret backdoor, previously used in fake job offer scams. Despite the discovery, all six malicious packages remain available on npm and GitHub, posing an active threat.
