Security researchers have identified six malicious packages on npm (Node Package Manager) linked to North Korea’s Lazarus hacking group. These packages, downloaded approximately 330 times, are designed to steal credentials, deploy backdoors, and extract cryptocurrency information from compromised systems.
## Sophisticated Supply Chain Attack
The Socket Research Team discovered this campaign and connected it to previous Lazarus operations. The threat group is known for infiltrating software registries like npm—used by millions of JavaScript developers—to passively compromise systems. Similar campaigns have been observed on GitHub and the Python Package Index (PyPI), providing attackers with initial access to valuable networks.
While Lazarus is responsible for major attacks like the recent $1.5 billion Bybit exchange crypto heist, that particular breach wasn’t executed via malicious packages.
## Identified Malicious Packages
All six packages use typosquatting tactics to trick developers into accidental installations:
– **is-buffer-validator**: Mimics the popular is-buffer library to steal credentials
– **yoojae-validator**: Extracts sensitive data from infected systems
– **event-handle-package**: Deploys a backdoor while disguised as an event-handling tool
– **array-empty-validator**: Collects system and browser credentials
– **react-event-dependency**: Executes malware while posing as a React utility
– **auth-validator**: Steals login credentials and API keys
## Technical Capabilities
The malicious code systematically collects system information and extracts sensitive data from browsers including Chrome, Brave, and Firefox. It specifically targets cryptocurrency wallets, extracting files from Solana and Exodus wallets.
The packages also deploy known Lazarus malware including BeaverTail and the InvisibleFerret backdoor, previously used in fake job offer campaigns.
## Active Threat
All six packages remain available on npm and GitHub repositories, posing an ongoing threat. Software developers should carefully verify packages before installation and scrutinize open-source code for suspicious elements like obfuscated code and calls to external servers.