A new wave of cyberattacks linked to the notorious Lazarus hacking group has surfaced, with six malicious npm packages being used to target unsuspecting developers.
Discovered by the Socket Research Team, these packages are designed to steal sensitive information, including credentials and cryptocurrency data.
The malicious code has already been downloaded over 330 times, highlighting the extent of the threat.
The six packages identified in the attack bear a striking resemblance to legitimate ones, using typosquatting tactics to deceive developers into installing them.
These packages, including "is-buffer-validator" and "auth-validator," are designed to infiltrate systems and steal crucial data, such as login credentials, cryptocurrency wallet information, and browser data.
In addition, the malware deployed by these packages also contains backdoors for remote access, creating long-term vulnerabilities in affected systems.
The affected npm packages were named in a way that would make them appear legitimate to developers searching for common utilities.
The packages included:
The attack, while aimed at developers, also poses a significant risk to cryptocurrency users.
The malware targets browser profiles on Chrome, Brave, and Firefox, seeking out stored login information, cookies, and history.
On macOS, it attempts to extract keychain data.
Additionally, the packages are programmed to harvest cryptocurrency wallet data, specifically targeting Solana and Exodus wallets.
According to the Socket report, the malware systematically searches through system directories, extracting files like "Login Data" and "id.json" from Solana wallets, all the while running undetected.
The report explains,
“The code is designed to collect system environment details, including the hostname, operating system, and system directories.”
Code enabling the download of harmful software. (Source: Socket)
While attribution of this attack to Lazarus remains challenging, the group’s history of similar operations raises alarm.
Lazarus has long been known for targeting software registries like npm, GitHub, and PyPI to spread malicious code.
Previous campaigns have been linked to high-profile attacks, including the massive $1.5 billion crypto heist involving the Bybit exchange.
Despite not being linked to this latest breach, the group's ongoing activities in the cryptocurrency space are of particular concern.
The threat actors behind this latest attack created and maintained GitHub repositories for five of the six packages, making them appear legitimate to developers.
This strategy increases the chances of the packages being integrated into legitimate codebases, making detection even more difficult.
As part of their ongoing efforts, the Socket team has reported the malicious repositories and user accounts, petitioning for their removal from npm and GitHub.
However, at the time of reporting, the packages remain active.
The Lazarus group, often linked to North Korea, is notorious for its sophisticated cyber campaigns, frequently targeting the global cryptocurrency industry.
Despite these high-profile breaches, Lazarus remains a persistent threat due to its ability to operate undetected for extended periods.
Kirill Boychenko, threat intelligence analyst at Socket Security, said,
“The APT group created and maintained GitHub repositories for five of the malicious packages, lending an appearance of open-source legitimacy. This increases the likelihood of the harmful code being integrated into developer workflows.”
In light of these findings, developers are being urged to exercise caution when using third-party packages and ensure they review code carefully to identify potential threats before integrating them into their projects.
Binance aims to use its Social Finance (SocialFi) initiatives as a catalyst for bringing Web3 technology into mainstream acceptance, is very aligned to CyberConnect which aims for long-term sustainability through developer-focused blockchain solutions.
YouQuan$MEME is a token launched by Memeland, a Web3 project built by members of the popular meme website, 9GAG.
AaronBuilding on El Salvador's pioneering move, Mexico stands calm to be the next country to adopt Bitcoin.
Hui XinDespite crypto prices pumping, NFTs are down- but here's why it's not a bad thing.
ClementThe "Decision Approving the 2024 Presidential Annual Programme (Decision Number: 7739)" was published in a supplementary issue of the Turkish Official Gazette.
DavinMultiple U.S. states take legal action against Meta for social media manipulation impacting children's mental health.
Hui XinSuch a liquidation would ignore the volatility of the cryptocurrency markets, possibly putting cryptocurrency owners at financial risk, even if they weren't guilty of any alleged crime.
DavinA recent verdict from a U.S. District Court judge has concluded a lengthy legal battle, with NFT artists Ryder Ripps and Jeremy Cahen ordered to pay Yuga Labs approximately £1.6 million in damages, as well as cover legal fees.
AaronConverting traditional loyalty points into digital currencies. This innovative move by Circle, BitoGroup, and Taiwan FamilyMart propels Taiwan's transition into a decentralised digital economy by tapping into existing consumer behaviors.
YouQuanU.S. legislators are pressing the Department of Justice to expedite the investigation into Binance and Tether concerning terrorism financing.
Hui Xin