North Korea's Lazarus Group has executed another highly sophisticated supply chain attack, this time targeting the npm ecosystem to compromise developers' environments and steal cryptocurrency-related data.

Security researchers at Socket.Dev have identified six new malicious packages, each crafted to deploy the BeaverTail malware and establish a persistent backdoor, InvisibleFerret. These tactics are consistent with previous cyber operations linked to Lazarus.

The malicious packages, which have accumulated over 330 downloads, closely resemble trusted libraries and use typosquatting techniques to deceive developers into unwittingly integrating them into their projects.

Lazarus' New Tactics: Crypto Developers Become Prime Targets

Lazarus, the notorious North Korean hacking group, has long relied on supply chain attacks, but its recent focus on crypto-specific infrastructure marks a dangerous escalation.

The newly identified malicious packages are designed to steal sensitive data, including credentials, system information, and, most critically, cryptocurrency wallet files.

One of the key targets is id.json, the critical storage file for Solana wallets, allowing Lazarus to gain direct access to funds. Additionally, the malware retrieves the exodus.wallet file, essential for the Exodus crypto wallet, enabling unauthorized transactions and fund extraction.

The malware also hunts through profiles in Chrome, Brave, and Firefox, harvesting login credentials and session data that could facilitate further exploitation.

By using a multi-stage payload deployment strategy, Lazarus ensures continued access to compromised systems. The malware is equipped to download additional payloads, including the InvisibleFerret backdoor, securing deeper infiltration into developer environments.

This ability to hijack npm packages and spread malware through open-source channels significantly amplifies the supply chain attack vector, posing a serious threat to blockchain projects that rely on npm libraries.

Sophisticated Execution: How Lazarus’ Latest Attack Unfolds

Lazarus’ latest campaign demonstrates a deep understanding of open-source ecosystems and modern software development practices, marking a new level of sophistication in their cyber operations.

The group employs a series of deceptive tactics to trick developers into unwittingly integrating infected files into their projects. They create malicious npm packages with names resembling popular dependencies, making them appear legitimate. To further establish credibility, fake GitHub repositories are set up to support these malicious packages.

To mask the true intent of the malware, Lazarus uses advanced obfuscation techniques, ensuring that its code goes undetected. The malicious code bears a strong resemblance to previous Lazarus operations, reinforcing its attribution to the notorious APT group.

Once inside a system, the malware scans local directories for cryptocurrency wallet files and sensitive credentials, with a specific focus on Solana and Exodus wallet storage files.

The stolen data is exfiltrated to a Lazarus-controlled server, enabling the attackers to directly access the victims’ funds. To ensure long-term control, the malware downloads and installs InvisibleFerret, a backdoor designed to maintain persistence on the compromised systems.

The multi-stage nature of the malware deployment ensures that Lazarus retains access to infected environments, even if initial infection vectors are detected and removed, making the attack even harder to neutralize.