Lazarus Group deceives developers with 6 new malicious npm packages – CyberScoop
Lazarus Group has burrowed deeper into the npm registry and planted six new malicious packages designed to deceive software developers and disrupt their workflows, researchers at cybersecurity firm Socket said in a Monday blog post.
The North Korea-linked threat group embedded BeaverTail malware into the npm packages to install backdoors and steal credentials and data in cryptocurrency wallets, according to Socket. The malicious code targets npm, a package manager for the JavaScript programming language, which is maintained by a subsidiary of Microsoft-owned GitHub.
A GitHub spokesperson said all six of the malicious packages were removed Wednesday.
The packages containing BeaverTail malware, aligning with previous Lazarus tactics, include is-buffer-validator, yoojae-validator, event-handle-package, array-empty-validator, react-event-dependency, and auth-validator, Socket researchers said.
“The six new packages — collectively downloaded over 330 times — closely mimic the names of widely trusted libraries, employing a well-known typosquatting tactic used by Lazarus-linked threat actors to deceive developers,” Kirill Boychenko, threat intelligence analyst at Socket, said in the blog post.
Lazarus Group also “created and maintained GitHub repositories for five of the malicious packages, lending an appearance of open source legitimacy and increasing the likelihood of the harmful code being integrated into developer workflows,” Boychenko added.
The naming scheme applied to the malicious packages suggests Lazarus Group is aware of Socket’s research into its previous malicious npm activities. One package in particular, is-buffer-validator, resembles the is-buffer module first authored by Socket CEO Feross Aboukhadijeh in 2015. The legitimate is-buffer package has been downloaded over 134 million times.
The malicious code embedded into the malicious packages mirrors techniques observed in previous campaigns linked to the Lazarus Group, including self-invoking functions, dynamic function constructors and array shifting to obscure the packages’ functionality, according to Socket.
BeaverTail malware allows for multi-stage payload delivery and persistence mechanisms for long-term access. The code collects system environment details, extracts sensitive login files and keychain archives.
The malware also targets cryptocurrency wallets by extracting id.json from Solana and exodus.wallet from Exodus, which are then uploaded to a hardcoded C2 server, echoing another Lazarus Group tactic involving of harvesting and transmitting stolen data, Socket researchers said.
The notorious collective of malicious hackers, which North Korea assembled as early as 2007, according to the U.S. government, stole $1.46 billion in Ethereum from cryptocurrency exchange ByBit last month. It was the largest known financial theft in history.
The post Lazarus Group deceives developers with 6 new malicious npm packages appeared first on CyberScoop.
–
Read More – CyberScoop
