Skip to content
- North Korea’s Lazarus group has launched a new attack with six malicious npm packages.
- These packages aim to steal credentials and crypto wallet data from developers.
- Attackers used domain squatting and typosquatting techniques to increase infection risks.
A new cyber threat was discovered by Socket Security researchers. Researchers attributed a total of six malicious npm packages to the notorious North Korean hacker group, Lazarus. The hackers designed the packages to drop backdoors onto compromised machines, enabling them to steal sensitive credentials and cryptocurrency wallet details.Solana and Exodus wallets, which were popular among crypto investors and developers, were their primary targets.
The attackers used typosquatting and domain squatting to deceive developers into installing malicious dependencies. They designed five packages to look like legitimate GitHub open-source projects, making them appear credible. This tactic increased the chances of unsuspecting developers integrating them into their workflows.
The group has a long history of large-scale cyber heists. They were behind numerous incidents in the crypto world, including the $1.4 billion hack against Bybit, the $41 million crypto casino robbery at Stake, and the $27 million hack against CoinEx exchange.
Lazarus Expands Attacks Despite Past Arrests
They were last year originally linked with the WazirX $235 million hack. The authorities in India later, however, arrested a suspect in this case. These arrests aside, Lazarus continues rolling out sophisticated attacks against financial institutions and crypto platforms. This latest attack is against developers and their systems. The malicious npm packages, once they are installed, pilfer credentials by attacking critical files in browsers such as Google Chrome, Brave, and Firefox.
They collect keychain information from macOS, revealing stored passwords and crypto-related information. These tactics were also observed in earlier Lazarus campaigns, whereby multi-stage payloads were employed in order to grant long-term access to hacked devices.
Developers downloaded the six identified packages—is-buffer-validator, yoojae-validator, event-handle-package, array-empty-validator, react-event-dependency, and auth-validator—over 330 times before researchers reported them. Socket Security requested their deletion, but similar threats will likely continue to emerge.
Ethereum Struggles with Delays and Market Decline
Whereas the Lazarus attack is a concern in the cybersecurity world, the developers in the Ethereum community have also experienced technical difficulties. The testnet, Holesky, in Ethereum, has finally achieved finality after several delays. This achievement moves Ethereum closer to implementing the Pectra upgrade, which will enhance scalability and efficiency in the network.
The update will be accompanied by a set of improvements, including the ability to pay for fuel with stablecoins as opposed to ETH and increased staking limits. But Holesky went through weeks of network instability before reaching this juncture. Developers are testing last-minute changes with a shadow fork before fully launching Pectra.
The launch date for Pectra by the Ethereum Foundation has yet to be announced. In the last 24 hours, Ethereum’s cryptocurrency, ETH, has fallen by 10% and is down by 52.5% year-on-year. These market fluctuations, along with ongoing tech problems and cyberattacks, signal increasing threats in the crypto space. Investors and developers need to be cautious, monitor the source of software, and remain updated with emerging threats in order to protect their investments.
Related Reading: Bitcoin (BTC) Drops Below 200-Day Average: Is $66K the Next Support?
