North Korea’s state-backed hacking group, Lazarus, has launched a fresh supply chain attack, injecting six malicious npm packages designed to steal credentials and exfiltrate cryptocurrency data.
The campaign, uncovered by the Socket Research Team, leverages BeaverTail malware to infiltrate developers’ systems and extract sensitive information.
According to the researchers, the compromised packages—is-buffer-validator, yoojae-validator, event-handle-package, array-empty-validator, react-event-dependency, and auth-validator—were downloaded over 300 times before detection. These packages rely on typosquatting, mimicking legitimate libraries to trick developers into installing them. Once executed, they scan browser profiles from Chrome, Brave, and Firefox, as well as macOS keychain data, to harvest login credentials and cryptocurrency wallet details, particularly those related to Solana and Exodus wallets.
The stolen data is transmitted to a hardcoded command-and-control (C2) server at hxxp://172.86.84[.]38:1224/uploads, aligning with Lazarus’s known tactics of persistent access and data exfiltration. Kirill Boychenko, a threat intelligence analyst at Socket Security, emphasized that this attack follows Lazarus’s established pattern of leveraging multi-stage payloads to infiltrate systems and maintain access over time.
Lazarus has a history of exploiting supply chain vulnerabilities, previously targeting npm, GitHub, and PyPI to compromise networks. The group was recently linked to the $1.46 billion Bybit exchange hack in late February, which is considered one of the largest cryptocurrency thefts. Reports suggest the attack originated from a compromised computer at Safe, Bybit’s technology provider, allowing hackers to siphon funds.
Bybit’s CEO, Ben Zhou, later revealed that 20% of the stolen assets had already become untraceable due to laundering via crypto-mixing services. Zhou noted that about 77% of the stolen assets remain traceable, but the laundered portion complicates recovery efforts. The attackers primarily utilized THORChain, a cross-chain liquidity protocol, to convert stolen Ethereum into Bitcoin. Zhou also revealed that 11 parties, including Mantle, ParaSwap, and blockchain investigator ZachXBT, have assisted in recovering some funds, with over $2.1 million in bounties paid out.
If you want to read more news articles like this, visit DeFi Planet and follow us on Twitter, LinkedIn, Facebook, Instagram, and CoinMarketCap Community.
“Take control of your crypto portfolio with MARKETS PRO, DeFi Planet’s suite of analytics tools.”
