- The Lazarus Group is using npm packages to distribute BeaverTail malware, targeting Solana and Exodus wallets.
- These attacks focus on stealing credentials and deploying persistent backdoors through malicious packages.
A new threat is emerging as North Korea’s Lazarus group uses npm packages to spread malware. Researchers identified six packages with malware aimed at compromising the development environment and stealing confidential information.
These packages, which have more than 300 downloads, install the BeaverTail malware to capture login credentials and gain unauthorized control of Solana and Exodus wallets.
They use the typosquatting method where their harmful packages are given the names of popular libraries. This method tricks developers into unknowingly adding harmful code into their codebases. By creating GitHub repositories for the five packages, Lazarus adds legitimacy to their campaign and increases the probability of the execution of the malware.
Malware specifically looks for browser profiles, targeting files stored within Chrome, Brave, and Firefox. It also attempts to extract keychain data within macOS devices.
These activities reflect a highly coordinated attempt at stealing login credentials and taking control of cryptocurrency wallets. Researchers note that these threats remain within the npm registry and are currently being removed.
Lazarus Hits Solana, Exodus Wallets with Stealthy Malware
Cybersecurity professionals have tracked Lazarus’ involvement in the attack via the analysis of the malicious code and the deployment methods. The malware uses obfuscation to hide its real intent and to avoid detection.
They employ various layers of deception such as the use of dynamic function constructors and self-invoking functions to get around security scans.
The malware’s primary function is to collect system data, including operating system data and hostnames. It also looks for stored login credentials in browser profiles and retrieves necessary files with user authentication data.
Along with credentials, the attack also targets cryptocurrency wallets. The malware actively looks for Solana wallet keys and Exodus wallet-related files and transfers the stolen data to a designated command-and-control server.
In addition to the direct theft of data, Lazarus also employs a second backdoor known as InvisibleFerret. The second-stage malware is downloaded and unpacked in multiple stages, giving ongoing access to infected machines.
By becoming part of the development pipelines, the malware persists, even when the security team identifies and removes part of the attack.
Defending Against Supply Chain Attacks
Cybersecurity experts think the Lazarus group and others like them will continue to evolve their tactics. With the increasing complexity of the attacks, organizations must tighten their security measures against supply chain threats.
One such approach is automated dependency auditing. This approach can identify anomalies within third-party packages before deploying them into live environments.
Developers need to be cautious when installing new packages using npm, particularly low-volume download packages or packages from unknown sources. Regular monitoring of software dependencies detects anomalous updates, and blocking outbound traffic to suspicious command-and-control servers prevents data exfiltration.
Organizations must also sandbox untrusted code to review its behavior before full deployment. Real-time GitHub scanning and browser plugins that detect suspicious downloads are further layers of protection.