
A screenshot of the malicious postcss-optimizer package on the npm registry
Cybersecurity researchers at Socket have uncovered a new supply chain attack orchestrated by Lazarus Group, the notorious North Korean state-sponsored APT. The attack involves a malicious npm package named postcss-optimizer, which is designed to infiltrate developer environments and steal sensitive data.
The package, which has been downloaded 477 times, contains the BeaverTail malware, a multi-functional infostealer and malware loader. Once installed, it establishes persistence, exfiltrates credentials, and deploys secondary payloads—potentially the InvisibleFerret backdoor. At the time of reporting, the malicious package was still live on npm, though researchers have petitioned for its removal.
The attack is particularly dangerous because it exploits the trust of open-source software ecosystems. The postcss-optimizer package mimics the legitimate postcss library, which has over 16 billion downloads.
By using a deceptive name and similar functionality, the attackers increased the chances of accidental installations by developers who believed they were using a legitimate tool.
“The high degree of similarity increases the likelihood that a target may mistakenly install it, believing it to be the authentic package,” researcher warns. Once installed, the malicious package stealthily executes a structured, multi-stage attack to compromise the victim’s system.
The malware begins by gathering key system details. The malware then downloads a second-stage payload, renames it to disguise its presence, and executes it. The renaming trick helps bypass basic security detection mechanisms, ensuring successful execution. The malware steals stored credentials from browsers like Chrome, Brave, and Firefox and uploads them to a hardcoded C2 server.
Additionally, it targets cryptocurrency wallets such as:
- MetaMask
- Phantom
- Binance Wallet
- Coinbase Wallet
It even steals Solana wallet private keys stored in the user’s configuration files.
“Moreover, the script specifically targets macOS login keychain data by searching for login.keychain and login.keychain-db within the user’s Library directory, further expanding its credential theft capabilities.”
To defend against such attacks, developers and organizations must adopt a proactive security strategy:
✅ Verify npm package authenticity before installing third-party dependencies.
✅ Monitor dependency changes using tools like Socket AI Scanner or npm audit.
✅ Enable runtime behavior analysis to detect unexpected script execution.
✅ Restrict npm installation privileges to prevent unauthorized downloads.
✅ Implement network monitoring for unusual C2 communication attempts.
Related Posts:
- Developers Targeted: North Korean Hackers Deploy “BeaverTail” Malware via NFTs
- North Korean Hackers Launch Job Interview Scam to Deploy BeaverTail and InvisibleFerret Malware
- Cyber Espionage Campaign: North Korean Actors Deploy BeaverTail and InvisibleFerret
- North Korean Threat Actors Targeting Tech Job Seekers with Contagious Interview Campaign