In a new attack, North Korea's Lazarus group has been linked to six fresh malicious npm packages.

Discovered by The Socket Research Team, the latest attack tries to deploy backdoors to steal credentials.

Lazarus is the infamous North Korean hacker group that's been linked to the recent $1.4 billion Bybit hack,  $41 million hack of crypto casino Stake, and a $27 million hack of crypto exchange CoinEx, and countless others in the crypto industry.

The group was also initially linked to the $235 million hack of India crypto exchange WazirX in July 2024. But last month, the Delhi Police’s Intelligence Fusion and Strategic Operations (IFSO) division arrested a Bengal man and seized three laptops in connection with the exploit.

This new round of malware linked to Lazarus could also extract cryptocurrency data, stealing sensitive data from Solana and Exodus crypto wallets. The attack works by targeting files in Google Chrome, Brave and Firefox browsers, as well as keychain data on macOS, specifically targeting developers who might unknowingly install the packages.

"Attributing this attack definitively to Lazarus or a sophisticated copycat remains challenging, as absolute attribution is inherently difficult," wrote Kirill Boychenko, threat intelligence analyst at Socket Security, in a blog post. "However, the tactics, techniques, and procedures (TTPs) observed in this npm attack closely align with Lazarus’s known operations, extensively documented by researchers from Unit42, eSentire, DataDog, Phylum, and others since 2022."

The six packages that have been identified are: is-buffer-validator, yoojae-validator, event-handle-package, array-empty-validator, react-event-dependency, and auth-validator. These work by using typosquatting, with misspelled names, to trick developers into installing them.

According to Boychenko: "The APT group created and maintained GitHub repositories for five of the malicious packages, lending an appearance of open source legitimacy and increasing the likelihood of the harmful code being integrated into developer workflows."

The packages have been collectively downloaded over 330 times and, at time of publishing, The Socket Team has petitioned for their removal having reported the GitHub repositories and user accounts.

This type of technique has been used by Lazarusin the past, with a Bybit exchange heist valuing a loss of around $1.4 billion in Ethereum. About  20 percent of those stolen funds have become untraceable.

In a statement, Bybit CEO, Ben Zhou, said: "77% are still traceable, 20% have gone dark, 3% have been frozen."

Boychenko says: "The group’s tactics align with past campaigns leveraging multi-stage payloads to maintain long-term access, the cybersecurity experts note."

Edited by James Rubin.

免责声明：本文章仅代表作者个人观点，不代表本平台的立场和观点。本文章仅供信息分享，不构成对任何人的任何投资建议。用户与作者之间的任何争议，与本平台无关。如网页中刊载的文章或图片涉及侵权，请提供相关的权利证明和身份证明发送邮件到support@aicoin.com，本平台相关工作人员将会进行核查。