North Korean hackers infect more than 300 developers with npm malware for crypto theft
Lazarus targets Solana and Exodus wallets
The Lazarus Group has infected hundreds of software developers, deploying malware via npm packages to steal credentials, extract crypto wallet data, and install a persistent backdoor.
According to research by the Socket Research Team, North Korean hackers from Lazarus uploaded six malicious packages to npm, targeting developers and crypto users.
These malicious packages—downloaded over 300 times—aim to steal login credentials, deploy backdoors, and extract sensitive data from Solana and Exodus wallets.
The malware specifically targets browser profiles, scanning files from Chrome, Brave, and Firefox, as well as macOS keychain data.
How Lazarus spreads the malware
The identified malicious packages include:
is-buffer-validator
yoojae-validator
event-handle-package
array-empty-validator
react-event-dependency
auth-validator
These packages use typosquatting techniques to trick developers into downloading them under slightly misspelled names.
"The stolen data is then transmitted to a hardcoded C2 server at hxxp://172.86.84[.]38:1224/uploads, following Lazarus' well-documented strategy for collecting and exfiltrating compromised information," said threat analyst Kirill Boychenko from Socket Security.
Mitigating the threat
Lazarus and other advanced threat actors are expected to refine their infiltration tactics further, according to Socket Security.
To mitigate these risks, organizations should implement a multi-layered security approach, including:
- Automated dependency audits and code reviews to detect anomalies in third-party packages, especially those with low downloads or unverified sources.
- Continuous monitoring of dependency changes to spot malicious updates.
- Blocking outbound connections to known C2 endpoints to prevent data exfiltration.
- Isolating untrusted code in controlled environments and deploying endpoint security solutions to detect suspicious filesystem or network activity.
- Educating developers on typosquatting tactics to enhance vigilance and proper verification before installing new packages.
As wew wrote, in a dramatic twist in the ongoing saga of cryptocurrency security breaches, authorities have identified the notorious Lazarus Group as the orchestrator behind the recent Bybit exploit.
