The Lazarus Group, a notorious North Korean hacking collective, has been linked to a recent attack involving malicious npm packages. These six malicious packages, which were downloaded approximately 330 times, were designed to steal sensitive information, including account credentials and cryptocurrency data. The group used typosquatting tactics to trick developers into downloading packages that appeared legitimate but were, in fact, compromised. By leveraging these packages, Lazarus Group was able to plant malware and backdoors in the compromised systems.
The six malicious packages identified included names such as “is-buffer-validator,” “yoojae-validator,” and “auth-validator,” all mimicking popular libraries.
These packages, once installed, would steal login credentials, extract data from browsers, and target cryptocurrency wallets. The malware was designed to specifically harvest wallet files like “id.json” from Solana and “exodus.wallet” from Exodus. In addition to credential theft, the packages installed backdoors, allowing Lazarus Group to maintain long-term access to the infected systems and networks.
This attack highlights the risk developers face when using open-source repositories like npm, which are often trusted without thorough verification. The malicious code inside these packages was designed to extract sensitive information from browsers and system environments. It targeted not only login data but also API keys, system credentials, and even stored cryptocurrency wallet information.
The Lazarus Group’s focus on stealing crypto data is consistent with North Korea’s history of cybercrime, often motivated by financial gain to fund state-backed activities.
Although GitHub has removed the identified malicious packages, the risk remains as Lazarus Group may continue to use similar tactics in future campaigns. To protect against such attacks, developers and organizations must adopt robust security practices. Verifying package sources, checking the reputation of the publisher, and closely examining code for anomalies are key steps in mitigating the threat. This attack serves as a reminder of the importance of scrutinizing third-party code in open-source environments to safeguard both individual and organizational data.
