The Lazarus Group, known for its cyberattacks, is using new malicious npm packages to steal user credentials and cryptocurrency data.
Attack Targets and Methods Used
The campaign was uncovered by the Socket Research Team. Attackers utilize BeaverTail malware to infiltrate developers’ systems. Six malicious packages, including is-buffer-validator and yoojae-validator, were downloaded over 300 times before detection. These packages mimic legitimate libraries and once installed, scan browser profiles from Chrome, Brave, and Firefox to harvest credentials and crypto wallet data.
Threat History and Previous Attacks
Lazarus has a history of exploiting supply chain vulnerabilities, previously compromising npm, GitHub, and PyPI. They are known for leveraging multi-stage payloads to infiltrate systems and maintain access over time. Recently, they were linked to the $1.46 billion hack of the Bybit exchange.
Recent Heist at Bybit Exchange
The attack on Bybit exchange, one of the largest in crypto history, involved a compromised computer at the technology provider Safe. About 20% of the stolen funds became untraceable due to the use of crypto-mixing services. Bybit CEO Ben Zhou reported that the majority of funds remain traceable but recovery is complicated.
Lazarus attacks highlight the need for heightened vigilance and improved security measures to prevent compromise of user data and cryptocurrency assets.
