Image: The Socket Research Team
The Lazarus Group, North Korea’s notorious state-backed cyber threat actor, has infiltrated the npm ecosystem once again, deploying a new wave of six malicious packages designed to compromise developer environments, steal credentials, extract cryptocurrency data, and deploy backdoors. This supply chain attack was uncovered by the Socket Research Team, which has identified Lazarus’ continued efforts to exploit open-source ecosystems.
Lazarus’ latest campaign includes the following malicious npm packages:
- is-buffer-validator
- yoojae-validator
- event-handle-package
- array-empty-validator
- react-event-dependency
- auth-validator
These packages mimic widely trusted JavaScript libraries, a well-documented typosquatting tactic employed by Lazarus-linked actors. The attackers also created GitHub repositories for five of the six packages, adding a layer of legitimacy to deceive unsuspecting developers.
“The six new packages — collectively downloaded over 330 times — closely mimic the names of widely trusted libraries, employing a well-known typosquatting tactic used by Lazarus-linked threat actors to deceive developers,” the report explains.
As of this report, these malicious packages remain active on the npm registry, pending removal. Socket researchers have reported the affected GitHub repositories and user accounts to mitigate further compromise.
Lazarus leverages open-source infrastructure to enhance persistence. By creating or repurposing GitHub repositories, the attackers further obscure their operations, making their activity appear as part of legitimate open-source development.
“By creating or repurposing GitHub repositories for the malicious packages, the threat actor further obscures its activities, making the operation appear as part of legitimate open source development,” the report warns.
Additionally, the malicious scripts dynamically obfuscate their execution, using self-invoking functions, array shifting, and dynamic function constructors to evade security tools.
Lazarus Group’s continued exploitation of open-source ecosystems presents a significant threat to software supply chains. As the group refines its tactics and expands its targeted attacks, security teams must remain vigilant.
Related Posts:
- Cybercriminals Increasingly Target Google, Microsoft, and Amazon in Sophisticated Phishing Schemes
- Temptation from Money: Lazarus APT extended to cryptocurrencies
- Malicious Go Packages Target Developers with Hidden Loader Malware on Linux and macOS
- Malicious PyPI Package Targets Discord Developers with Token Theft and Backdoor Exploit
- Lazarus Group Deploys Electron-Based Malware to Target Cryptocurrency Enthusiasts
