3rd Party Risk Management
,
Governance & Risk Management
North Korea’s Lazarus Deploys Malicious NPM Packages to Steal Data
North Korea’s Lazarus Group expanded a cyber attack campaign of uploading malicious code to the JavaScript runtime environment NPM repository, publishing 11 new packages embedded with Trojan loaders.
See Also: Your Guide to Threat Hunting for Effective Risk Management
Researchers from security firm Socket said Friday that it identified 11 malicious packages in the repository – a hotspot for supply chain attacks – that deliver the “BeaverTail” infostealer (see: Breach Roundup: Malicious NPM Packages Maintain Persistence Even if Initial Malware Is Uninstalled#NPM).
BeaverTail targets browser data, macOS keychain and cryptocurrency wallets. It includes functionality to extract private keys from the Solana blockchain id.json file. North Korean hackers uniquely pillage blockchains for their government, which uses stolen crypto to obtain hard currency and fund weapons of mass destruction.
The malicious packages evade automated detection or flagging by manual code audits through hexadecimal string encoding for obfuscation. Socket says the threat actor is the same Pyongang group responsible for an ongoing campaign tracked as “Contagious Interview” that social engineers trick job seekers into downloading malware as part of a putative interview (see: Breach Roundup: North Korea’s Contagious Interview Campaign Deploys New Malware).
Tells that Lazarus is behind both campaigns include identical obfuscation techniques, use of BeaverTail and use command and control servers linked to North Korean infrastructure. Several packages download a second-stage backdoor tracked as “InvisibleFerret,” also a known North Korean malicious tool.
The malicious packages masquerade as utilities for array validation, logging and debugging. Several packages—including dev-debugger-vite, snore-log and core-pino – contain scripts that scan hundreds of browser profile directories. The stolen data is silently exfiltrated via HTTP POST requests to obfuscated C2 servers. One key feature across the packages is the use of hex-based string encoding. Malicious scripts translate ASCII strings using inline decoding functions, masking keywords like require or axios and hiding URLs for payload retrieval. This tactic, seen in the cln-logger and node-clog packages, aims to frustrate traditional malware detection mechanisms.
Unlike earlier efforts, the Lazarus-linked campaign now utilizes Bitbucket repositories alongside GitHub. The icloud-cod package was tied to a Bitbucket repo under a directory named eiwork_hire, hinting at further use of fake job postings to lure developers.
The threat actor’s strategy relies on distributing multiple malware variants across diverse accounts while rotating endpoints to maintain persistence and lower the risk of disruption.
“These attackers understand the trust model in open source software,” researchers said. “They are exploiting that trust to insert backdoors into enterprise environments.”