In a recent discovery by the Socket Research Team, six malicious packages have been identified on npm, the Node package manager, all linked to the infamous North Korean hacking group Lazarus. These packages, although downloaded a seemingly low 330 times, are designed with malicious intent. They aim to steal account credentials, deploy backdoors on compromised systems, and extract sensitive cryptocurrency information from unsuspecting users.
This revelation sheds light on the ongoing cyber threats posed by sophisticated hacker groups like Lazarus. Known for their involvement in various supply chain attacks, Lazarus has been previously identified in similar campaigns on platforms like GitHub and the Python Package Index (PyPI). By infiltrating popular software registries like npm, used widely by JavaScript developers, Lazarus gains passive access to networks, setting the stage for potential large-scale cyber attacks.
The six malicious packages discovered on npm by the Socket Research Team utilize typosquatting tactics to deceive developers into installing them inadvertently. One such package, “is-buffer-validator,” disguises itself as the legitimate “is-buffer” library to siphon off credentials. Similarly, packages like “yoojae-validator,” “event-handle-package,” “array-empty-validator,” “react-event-dependency,” and “auth-validator” employ similar tactics to execute their nefarious activities, ranging from stealing sensitive data to deploying backdoors for remote access.
These malicious packages contain code crafted to pilfer information such as cryptocurrency wallets and browser data, which includes stored passwords, cookies, and browsing history. Additionally, they are equipped with malware like BeaverTail and the InvisibleFerret backdoor, previously linked to North Korean hacking operations through fake job offers.
The code within these packages is designed to extract system environment details and browser profiles to uncover sensitive files, including login data and keychain archives. Notably, the malware also targets specific cryptocurrency wallets, extracting important files like id.json from Solana and exodus.wallet from Exodus.
Despite the discovery of these malicious packages, they still remain accessible on npm and GitHub repositories, indicating an ongoing threat. As a precaution, software developers are urged to exercise caution by thoroughly reviewing the packages they integrate into their projects and scrutinizing open-source code for any suspicious elements like obfuscated code and external server calls.
In conclusion, the infiltration of these malicious packages on npm serves as a stark reminder of the ever-present cyber threats faced by developers and users alike. Remaining vigilant and taking proactive measures to secure software environments is crucial in mitigating the risks posed by sophisticated threat actors like Lazarus.