Researchers have discovered North Korea’s Lazarus Group once again infiltrating the npm ecosystem. This time Lazarus is deploying six new malicious packages, which have been downloaded 330 times. The packages are designed to compromise developer environments, steal credentials, extract cryptocurrency data, and deploy a backdoor.
You can go into the weeds by reading this: https://socket.dev/blog/lazarus-strikes-npm-again-with-a-new-wave-of-malicious-packages
Ensar Seker, CSO at cybersecurity company SOCRadar had this comment:
“This attack follows their well-documented pattern of targeting developers and software supply chains to infiltrate organizations. Lazarus has previously compromised trading platforms, financial institutions, and software repositories to distribute backdoors and credential stealers. Malicious npm packages are a particularly effective attack vector because developers often trust open-source repositories without thorough scrutiny. Attackers are embedding malicious code in dependencies, ensuring the malware spreads every time an unsuspecting developer installs or updates the package.
The fact that these packages are designed to steal cryptocurrency-related data aligns with North Korea’s state-backed cybercrime objectives, which involve financial theft to fund regime activities. Lazarus has a long history of targeting crypto wallets, exchanges, and fintech companies. Once installed, these backdoored packages could give Lazarus access to developer credentials, SSH keys, and cloud access tokens, allowing lateral movement across entire organizations, not just individual victims.
Attackers will shift further upstream, embedding malware in popular CI/CD tools, container images, and code repositories, making it harder to detect. They use AI to automate malicious package creation, obfuscate payloads, and dynamically evade detection in package repositories.
They may also poison internal package registries or execute dependency confusion attacks, where private company packages are mimicked in public repositories. Security teams will be forced to adopt stricter SBOM (Software Bill of Materials) practices, conduct routine package audits, and limit dependencies to trusted sources.”
Security teams need to work with developers to cut off this method of entry for groups like Lazarus. Otherwise, you’ll start to see that it will be difficult if not impossible to stop threat actors from going wild so to speak.
UPDATE: Jim Routh, Chief Trust Officer at cybersecurity company Saviynt, commented:
“Sophisticated threat actors are pivoting from 0-day vulnerability exploitation to the harvest of log-in credentials monetized in various ways through various criminal organizations as a method for increasing persistence.
The discovery of the six malicious packages uncovered by the Socket Research team confirms this shift in tactics. The discovery of similar evidence found on GitHub and PyPi reinforces the business case for enterprises to increase their commitment to:
- Improve authentication, moving away from OTP and toward passwordless options readily available today
- Recognize that Identity Security is a great deal more today than provisioning and deprovisioning. It is an opportunity to use account activity data to both establish risk profiles for all users (internal and external) and to enable triggers from pattern deviation applied directly to automated workflow representing risk management and remediation without depending on humans
- Increase investment in privilege user management (PAM) adding behavioral data to continuously verify privilege users by their patterns and revoking privilege based on pattern deviation that meets a threshold
- Revoke all user entitlements not used within 90 days to shrink the attack surface and lower operating costs
- Harvest identity security intelligence to recognize bad actor behaviors (internal and external) and initiate automated risk management workflow
- Give your cloud service providers your enterprise requirements for authentication rather than accepting what they determine to be the norm”
Like this:
Like Loading...
Related
This entry was posted on March 12, 2025 at 9:41 am and is filed under Commentary with tags Hacked. You can follow any responses to this entry through the RSS 2.0 feed.
You can leave a response, or trackback from your own site.
Lazarus Strikes npm Again With New Wave of Malicious Packages
Researchers have discovered North Korea’s Lazarus Group once again infiltrating the npm ecosystem. This time Lazarus is deploying six new malicious packages, which have been downloaded 330 times. The packages are designed to compromise developer environments, steal credentials, extract cryptocurrency data, and deploy a backdoor.
You can go into the weeds by reading this: https://socket.dev/blog/lazarus-strikes-npm-again-with-a-new-wave-of-malicious-packages
Ensar Seker, CSO at cybersecurity company SOCRadar had this comment:
“This attack follows their well-documented pattern of targeting developers and software supply chains to infiltrate organizations. Lazarus has previously compromised trading platforms, financial institutions, and software repositories to distribute backdoors and credential stealers. Malicious npm packages are a particularly effective attack vector because developers often trust open-source repositories without thorough scrutiny. Attackers are embedding malicious code in dependencies, ensuring the malware spreads every time an unsuspecting developer installs or updates the package.
The fact that these packages are designed to steal cryptocurrency-related data aligns with North Korea’s state-backed cybercrime objectives, which involve financial theft to fund regime activities. Lazarus has a long history of targeting crypto wallets, exchanges, and fintech companies. Once installed, these backdoored packages could give Lazarus access to developer credentials, SSH keys, and cloud access tokens, allowing lateral movement across entire organizations, not just individual victims.
Attackers will shift further upstream, embedding malware in popular CI/CD tools, container images, and code repositories, making it harder to detect. They use AI to automate malicious package creation, obfuscate payloads, and dynamically evade detection in package repositories.
They may also poison internal package registries or execute dependency confusion attacks, where private company packages are mimicked in public repositories. Security teams will be forced to adopt stricter SBOM (Software Bill of Materials) practices, conduct routine package audits, and limit dependencies to trusted sources.”
Security teams need to work with developers to cut off this method of entry for groups like Lazarus. Otherwise, you’ll start to see that it will be difficult if not impossible to stop threat actors from going wild so to speak.
UPDATE: Jim Routh, Chief Trust Officer at cybersecurity company Saviynt, commented:
“Sophisticated threat actors are pivoting from 0-day vulnerability exploitation to the harvest of log-in credentials monetized in various ways through various criminal organizations as a method for increasing persistence.
The discovery of the six malicious packages uncovered by the Socket Research team confirms this shift in tactics. The discovery of similar evidence found on GitHub and PyPi reinforces the business case for enterprises to increase their commitment to:
Share this:
Like this:
Related
This entry was posted on March 12, 2025 at 9:41 am and is filed under Commentary with tags Hacked. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.