Lazarus Group Hack Crypto Developers, Creating Backdoors in NPM Repositories

Lazarus Group, hackers from North Korea, created a new campaign, targeting crypto developers through NPM repositories. They introduced 6 repositories, that would appeal to crypto developers, and added malware, to create backdoors, infiltrate projects, and steal credentials.

The hacking group would use BeaverTail, a malware package, to execute a hidden file on the target system. The malware would then steal credentials by accessing browser files and searching for files related to cryptocurrency wallets like Exodus. The stolen data would then be sent to a command and control centre so that the hackers could readily access the sensitive files.

Attributing this attack, wrote Kirill Boychenko, Socket Seniority Analyst, definitively to Lazarus or a sophisticated copycat remains challenging, as absolute attribution is inherently difficult. However, the tactics, techniques, and procedures (TTPs) observed in this npm attack closely align with Lazaruss known operations, extensively documented by researchers from Unit42, eSentire, DataDog, Phylum, and others since 2022.

The NPM repositories were based on actual libraries, but used typosquatting and similar spelling to mimic popular packages and trick developers into installing them. The malicious packages were downloaded over 300 times, showing the reach of the attack.

The six malicious packages include:

is-buffer-validator mimics is-buffer library, steals credentials.
yoojae-validator fake validator, steals sensitive data.
event-handle-package pretends to be an event handling tool, but installs a back door for remote access.
array-empty-validator collects browser and system credentials.
react-event-dependency pretends to be a react utility, but compromises developer environments.
auth-validator steals login and API credentials.

The APT group, wrote Boychenko, created and maintained GitHub repositories for five of the malicious packages, lending an appearance of open source legitimacy and increasing the likelihood of the harmful code being integrated into developer workflows.

The malware was designed to collect system information, such as operating system, system directories, and hostname, deploying this attack to hundreds of NPM users.

It systematically iterates through browser profiles, wrote Boychenko, to locate and extract sensitive files such as Login Data from Chrome, Brave, and Firefox, as well as keychain archives on macOS. Notably, the malware also targets cryptocurrency wallets, specifically extracting id.json from Solana and exodus.wallet from Exodus.

This attack is part of Lazarus Groups broader strategy to disrupt supply chains. The NPM malware allows them to target developers, a vital part of the global supply chain, and embed themselves inside systems, development environments, and crypto addresses to further their attacks. Similar methods have been used to target GitHub and Pythons pip packages.

Continuous monitoring of unusual dependency changes, wrote Boychenko, can expose malicious updates while blocking outbound connections to known C2 endpoints prevents data exfiltration. Sandboxing untrusted code in controlled environments and deploying endpoint protection can detect suspicious file system or network activities.

Boychenko raises a critical point because developers, due to tight deadlines, often use many libraries without fully checking them. Cryptocurrency, being decentralized, allows developers to collaborate over vast distances, but also increases the attack vector of open source projects.

According to the United Nations 2024 report, North Korean hackers were responsible for 35% of cryptocurrency thefts, amounting to $1 billion in lost crypto. The hackers pose a new kind of security threat, being state actors, because they may use their accumulated wealth to fund nuclear weapons programs and ballistic missile enhancements.

Text source: ZyCrypto

Cryptocurrency