North Korean cyber threat actors, Lazarus Group, have escalated their supply chain attack tactics by introducing a series of malicious npm (Node Package Manager) packages.
Utilizing sophisticated hexadecimal encoding to camouflage their code and evade detection systems, the group aims to compromise developer systems, steal sensitive credentials, and maintain persistent access to targeted environments.
Security researchers have identified several indicators that tie these packages to the group’s long-running “Contagious Interview” operation.
Expansion of Malicious npm Packages
Recent findings reveal that Lazarus has expanded its malware campaign in the npm ecosystem by deploying new malicious packages under aliases such as alextucker0519, mvitalii, taras_lakhai, and wishorn.
According to the Report, these packages, masquerading as utilities for logging, debugging, and event handling, contain remote access trojan (RAT) loaders.
Their obfuscation techniques employ hexadecimal string encoding, designed to bypass automated detection systems and manual reviews.
SecurityScorecard researchers uncovered that several packages, including “twitterapis,” “snore-log,” and “core-pino,” connect to command-and-control (C2) servers consistent with previously observed Lazarus infrastructure.
icloud-cod.js hosted on BitbucketNotably, these packages use hex-encoded strings to conceal keywords such as “require,” “axios,” and C2 URLs, preventing detection during static analysis.
A closer examination of the package “cln-logger” highlights the malware’s obfuscation tactic: a JavaScript function translates hexadecimal strings into ASCII text.
Such techniques allow the malware to fetch and execute payloads dynamically, often retrieving secondary-stage malware like BeaverTail and InvisibleFerret.
Indicators of Compromise (IoCs)
Researchers identified 11 malicious packages in this expanded campaign, collectively downloaded over 5,600 times. Highlighted packages include:
- empty-array-validator
- twitterapis
- dev-debugger-vite
- snore-log
- core-pino
- events-utils
- icloud-cod
The compromised packages communicate with C2 endpoints tied to Lazarus infrastructure:
- 144.172.87[.]27
- 45.61.151[.]71
- 185.153.182[.]241
- mocki[.]io, wiremockapi[.]cloud, and vercel[.]app URLs.
Lazarus actors leveraged npm, GitHub, and Bitbucket accounts for distribution:
- npm aliases: taras_lakhai, mvitalii, wishorn, crouch626
- GitHub repositories: lukobogdan47/empty-array-validator, austin-a3/twitterapis
- Bitbucket repositories: events-utils/launch-events-utils
Sustained Threat to Software Supply Chains
The Lazarus Group’s strategy underscores its adaptability and relentless pursuit of targeting developers.
By rotating aliases, diversifying obfuscation techniques, and hosting malicious payloads across multiple platforms, they manage to sustain their attacks despite heightened scrutiny.
Their operations consistently attempt to exfiltrate sensitive data such as private keys, browser credentials, and cryptocurrency wallet details, indicating a focus on financial theft alongside broader espionage activities.
Given the advanced nature of these attacks, organizations must prioritize comprehensive supply chain security.
Implementing automated dependency audits, scrutinizing packages with limited download history, and blocking outbound traffic to known C2 endpoints are critical defensive measures.
The Lazarus Group’s deployment of advanced obfuscation techniques in npm packages signals an urgent call for heightened vigilance within the developer community.
Proactive measures such as real-time scanning and contextual analysis during installations can reduce exposure to such threats.
As the group’s tactics evolve, organizations must remain prepared for sustained and increasingly sophisticated supply chain infiltration campaigns.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates
