- North Korea‘s Lazarus group has been linked to six new malicious npm packages targeting cryptocurrency wallets and sensitive browser data.
- The attack specifically targets Solana and Exodus crypto wallets by extracting data from popular browsers and macOS keychain.
- These malicious packages have been downloaded over 330 times, with Socket Security researchers pushing for their removal.
North Korea‘s notorious Hacking collective Lazarus has deployed a fresh attack vector, releasing six malicious npm packages designed to steal cryptocurrency credentials. The Socket Research Team discovered the sophisticated campaign that targets developers while attempting to pilfer data from crypto wallets and browsers.
The malicious software specifically extracts sensitive information from Solana and Exodus cryptocurrency wallets by targeting files in Google Chrome, Brave, and Firefox browsers. On macOS systems, the attack additionally targets keychain data, creating a comprehensive theft mechanism aimed at developers who might inadvertently install these packages.
Kirill Boychenko, threat intelligence analyst at Socket Security, explained the attribution challenge in a blog post: “Attributing this attack definitively to Lazarus or a sophisticated copycat remains challenging, as absolute attribution is inherently difficult. However, the tactics, techniques, and procedures (TTPs) observed in this npm attack closely align with Lazarus’s known operations, extensively documented by researchers from Unit42, eSentire, DataDog, Phylum, and others since 2022.”
The six identified packages employ typosquatting techniques, using deceptively misspelled names to trick developers:
– is-buffer-validator
– yoojae-validator
– event-handle-package
– array-empty-validator
– react-event-dependency
– auth-validator
To enhance their deception, the attackers created legitimate-appearing GitHub repositories for five of these packages. “The APT group created and maintained GitHub repositories for five of the malicious packages, lending an appearance of open source legitimacy and increasing the likelihood of the harmful code being integrated into developer workflows,” Boychenko noted.
The collective download count for these packages has surpassed 330, with The Socket Team actively working to have them removed after reporting the malicious repositories and associated user accounts.
This latest attack aligns with Lazarus’s extensive history of cryptocurrency-targeted operations. The group has been implicated in several major crypto heists, including the recent $1.4 billion Bybit hack, a $41 million breach of crypto casino Stake, and a $27 million attack on crypto exchange CoinEx.
Lazarus was also initially connected to the $235 million WazirX hack in July 2024, though subsequent investigation by Delhi Police’s Intelligence Fusion and Strategic Operations division led to the arrest of a suspect from Bengal.
Regarding the massive Bybit heist involving approximately $1.4 billion in Ethereum assets, Ben Zhou, Bybit’s CEO, confirmed: “77% are still traceable, 20% have gone dark, 3% have been frozen.”
Security researchers emphasize that these techniques are consistent with previous Lazarus campaigns, with Boychenko stating: “The group’s tactics align with past campaigns leveraging multi-stage payloads to maintain long-term access, the Cybersecurity experts note.”
✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.
Previous Articles:
- Presidio Bitcoin Launches New Co-Working Space in San Francisco, Aiming to Reconnect Bitcoin with Silicon Valley
- Treasury Market Volatility Hits 4-Month High, Could Slow Bitcoin’s Path to $90,000
- Crypto Whale Loses $308 Million in Liquidated Ether Position Amid Market Volatility
- Deutsche Börse’s FundsDLT Platform Piloted by Zürcher Kantonalbank and UBS Asset Management
- MEXC Ventures Invests $36 Million in Ethena & USDE to Accelerate Stablecoin Innovation
