Lazarus Group Hid Backdoor in Fake npm Packages in Latest Attack

The notorious Lazarus Group, a North Korean state-backed hacking group, is back at it again. This time, they’re sneaking malicious code into the popular npm software repository, a vital resource for countless developers worldwide.

Cybersecurity researchers at Socket Research Team have found six new fake packages, already downloaded around 330 times, designed to infiltrate developers’ computers, swipe login details, steal cryptocurrency information, and even install a backdoor for long-term access.

****What’s npm and Why Should I Care?****

Think of npm as a giant online library for JavaScript code. Developers use it to grab pre-built pieces of software (called “packages”) to save time and effort when building their own applications. If a hacker can sneak a bad package into this library, they can infect anyone who downloads and uses it.

****The Sneaky Tactics of The Lazarus Group****

The Lazarus Group is using “typosquatting” in its latest campaign, creating packages with names very similar to legitimate, widely-used ones. For example, they created “is-buffer-validator,” which sounds a lot like the real “is-buffer” package. This makes it easy for developers to accidentally download the wrong thing.

Other malicious packages include yoojae-validator, event-handle-package, array-empty-validator, react-event-dependency, and auth-validator.

According to Socket Research Team’s blog post, to make these fake packages look even more trustworthy, the hackers even set up fake GitHub pages for some of them. GitHub is where developers often share and collaborate on code, so having a presence there adds a layer of (false) legitimacy.

The malicious packages used in the campaign (Credit: Socket Research Team)

As Ensar Seker, CSO at cybersecurity company SOCRadar, points out, “Malicious npm packages are a particularly effective attack vector because developers often trust open-source repositories without thorough scrutiny.” He adds that attackers are “embedding malicious code in dependencies, ensuring the malware spreads every time an unsuspecting developer installs or updates the package.”

****What Happens Upon Infection****

The Lazarus Group has a history of targeting developers through supply chain attacks. In this campaign, the malware embedded in compromised packages performs several malicious activities. It steals sensitive data by collecting system details such as the hostname, operating system, and directory structures. Additionally, it extracts credentials by searching browser profiles for stored login information from Chrome, Brave, and Firefox.

The malware also targets cryptocurrency wallets, specifically seeking Solana (id.json) and Exodus (exodus.wallet) wallet files to steal crypto assets. Furthermore, it installs a backdoor by downloading additional malware, including the InvisibleFerret backdoor, which allows attackers to maintain persistent access to the compromised system.

Seker notes that the focus on cryptocurrency aligns with North Korea’s known strategies. “The fact that these packages are designed to steal cryptocurrency-related data aligns with North Korea’s state-backed cybercrime objectives, which involve financial theft to fund regime activities,” he explains. “Lazarus has a long history of targeting crypto wallets, exchanges, and fintech companies.”

The implications extend beyond individual developers. “Once installed, these backdoored packages could give Lazarus access to developer credentials, SSH keys, and cloud access tokens,” Seker warns, “allowing lateral movement across entire organizations, not just individual victims.”

****All Malicious Packages Deleted, but the Threat Remains****

The good news is that GitHub has deleted all the malicious packages identified and reported by the Socket Research Team. However, this does not mean that there are no other malicious packages operated by the Lazarus Group.

****How to Protect Yourself and Your Organization****

To mitigate the risks posed by supply chain attacks, both developers and organizations should adopt proactive security measures. Developers should verify package sources by checking the publisher’s reputation and download numbers before installation.

Utilizing security tools, such as the Socket AI Scanner, can help detect malicious dependencies before they are added to a project. Additionally, enabling multi-layered security by implementing sandboxing, endpoint protection, and blocking suspicious outbound connections adds an extra layer of defence.

Organizations can further enhance security by automating dependency auditing to regularly scan third-party packages for vulnerabilities. Monitoring dependency changes and setting up alerts for unexpected updates in projects can help detect potential threats early. Lastly, educating teams about typosquatting and training developers to recognize suspicious package names is important in preventing attacks.