99/68 Thursday, March 13, 2025
The North Korean state-sponsored hacking group Lazarus has resurfaced, employing typosquatting tactics to distribute malicious npm packages. These fake packages mimic popular ones, tricking developers into downloading and installing malware. Researchers from the Socket Research Team discovered six such malicious packages, which have already been downloaded over 330 times. The embedded malware can steal login credentials, cryptocurrency data, and install backdoors for long-term system access.
This malware is designed to collect system data and extract passwords from browsers like Chrome and Firefox. Additionally, it specifically targets digital wallet files from Solana and Exodus, aiming to steal cryptocurrency assets. Ensar Seker, Head of Security at SOCRadar, stated that this campaign aligns with North Korea’s strategy of attacking financial platforms to fund its government operations. Furthermore, the fake packages can provide hackers access to sensitive data such as SSH keys and cloud service tokens, potentially leading to large-scale organizational breaches.
Although GitHub has removed all known malicious packages, supply chain attacks remain a serious threat. Developers should exercise caution by verifying package reputations before installation, utilizing security scanners like Socket AI Scanner, and enabling multi-layered protection. Organizations should implement automated third-party package monitoring and train their teams to recognize suspicious package names to mitigate the risk of cyberattacks.
Source https://hackread.com/lazarus-group-backdoor-fake-npm-packages-attack/
