PANews reported on March 12 that according to Decrypt, the Socket research team found in a new attack that the North Korean hacker group Lazarus was associated with six new malicious npm packages that attempted to deploy backdoors to steal user credentials. In addition, these malware can also extract cryptocurrency data and steal sensitive information from Solana and Exodus crypto wallets. The attack mainly targets files of Google Chrome, Brave, and Firefox browsers and keychain data of macOS, specifically to trick developers into accidentally installing these malware packages.
The six malware packages discovered this time include: is-buffer-validator, yoojae-validator, event-handle-package, array-empty-validator, react-event-dependency, and auth-validator. They trick developers into installing them through "typosquatting" (using misspelled names). The APT organization created and maintained GitHub repositories for five of the packages, disguised as legitimate open source projects, increasing the risk of malicious code being used by developers. These packages have been downloaded more than 330 times. At present, the Socket team has requested the removal of these packages and reported the relevant GitHub repositories and user accounts.
Lazarus is the notorious North Korean hacking group linked to the recent $1.4 billion Bybit hack, the $41 million Stake hack, the $27 million CoinEx hack, and countless other attacks in the crypto industry.
