North Korea’s Lazarus Group has launched a new wave of attacks on the npm ecosystem, compromising six packages designed to steal credentials, extract cryptocurrency data, and deploy backdoors.
These malicious packages, which have been downloaded over 330 times, mimic the names of widely trusted libraries, employing a typosquatting tactic to deceive developers.
The packages in question include is-buffer-validator, yoojae-validator, event-handle-package, array-empty-validator, react-event-dependency, and auth-validator.
Malicious Tactics and Techniques
The Lazarus Group’s tactics closely align with their previous operations, including the use of identical obfuscation techniques and cross-platform targeting of Windows, macOS, and Linux systems.
The malware embedded in these packages, known as BeaverTail, is accompanied by the InvisibleFerret backdoor, which is deployed in a multi-stage payload delivery strategy.
This approach ensures persistence and stealth, allowing the malware to maintain long-term access to compromised systems.
The code is designed to collect system environment details, iterate through browser profiles to extract sensitive files, and target cryptocurrency wallets.
Stolen data is exfiltrated to a hardcoded command and control (C2) server.
The malicious packages were published under various npm aliases and linked to GitHub repositories, lending them an appearance of legitimacy.
For instance, is-buffer-validator closely resembles the widely used is-buffer module, which has been downloaded over 134 million times.
This strategic naming may indicate an awareness of existing research or an attempt to exploit the trust associated with legitimate libraries.
Despite these sophisticated tactics, the Socket AI Scanner successfully identified all six packages as malicious.
Mitigation and Recommendations
According to the Report, To counter these threats, organizations should implement a multi-layered defense strategy.
This includes automated dependency auditing, continuous monitoring of unusual dependency changes, and blocking outbound connections to known C2 endpoints.
Sandboxing untrusted code and deploying endpoint protection can detect suspicious activities.
Educating development teams about typosquatting tactics is crucial for promoting vigilance and ensuring proper vetting of new packages.
By integrating security measures into development workflows, organizations can significantly mitigate the risk of supply chain attacks.
The ongoing evolution of obfuscation techniques and the potential expansion of targeting to additional ecosystems underscore the importance of early detection and contextual dependency scanning.
