Researchers at Socket have recently uncovered a disturbing revelation in the world of cybersecurity. According to their findings, a malicious npm package called postcss-optimizer has been identified as the work of the North Korean state-sponsored group, Lazarus Advanced Persistent Threat (APT).
This malicious package, linked to the Contagious Interview subgroup of Lazarus, has been found to target software developers through sophisticated malware delivery mechanisms. Despite its deceptive appearance as a legitimate postcss library, with a staggering 16 billion downloads, the postcss-optimizer package has been downloaded 477 times with malicious intent.
Once installed, the package deploys BeaverTail malware, a dangerous tool that serves as both an infostealer and a malware loader. It is suspected that the second-stage payload of this malware is InvisibleFerret, a potent backdoor commonly associated with Lazarus’ tactics of exploiting software supply chains.
Despite the dangers posed by this malicious package, it remains available in the npm repository. Socket has taken swift action by requesting the removal of the package, but the threat still looms large over unsuspecting users.
This incident sheds light on the sophisticated techniques employed by threat actors to exploit software supply chains. The postcss-optimizer package, created by a user named “yolorabbit” on the npm registry, mimics the original postcss library to deceive users into downloading it.
This is not the first time that Lazarus has been implicated in such attacks. In 2022, researchers from Unit 42 uncovered similar campaigns where developers were lured into downloading malicious npm packages through staged interview processes. Once installed, these packages initiated a series of malware attacks, culminating in data exfiltration or the deployment of secondary payloads.
The BeaverTail malware associated with the postcss-optimizer campaign utilizes obfuscation techniques to evade detection, targeting systems across Windows, macOS, and Linux. It collects sensitive data such as credentials, browser cookies, and cryptocurrency wallet files, sending them to a command-and-control server.
Furthermore, BeaverTail ensures long-term persistence by manipulating registry keys or injecting startup scripts, ensuring that it can fetch and execute additional payloads as needed.
A detailed analysis of the malware reveals its primary focus on data theft, particularly targeting cryptocurrency wallets and financial credentials. The malware is designed to scan for browser extensions related to popular wallets like MetaMask and Phantom, while also stealing Solana wallet keys and macOS login keychain data.
To transmit stolen data, the malware uses HTTP POST requests to communicate with its command-and-control infrastructure. Additionally, the code includes a fallback mechanism to download additional payloads using alternate methods, ensuring resilience against network restrictions.
This incident serves as a stark reminder of the ongoing threat posed by APT groups exploiting open-source ecosystems for distributing malware. Organizations must take proactive steps to secure their software supply chains through measures such as automated dependency audits, behavior-based analysis tools, and real-time monitoring for suspicious npm packages.
Security tools like the Socket GitHub integration and CLI can add additional layers of defense by flagging anomalies in open-source packages before deployment. It is crucial for developers and organizations to remain vigilant and utilize advanced security solutions to combat the ever-evolving threats posed by malicious actors in the software supply chain.