In a new attack, North Korea's Lazarus group has been linked to six fresh malicious npm packages.
Discovered by The Socket Research Team, the latest attack tries to deploy backdoors to steal credentials.
Lazarus is the infamous North Korean hacker group that's been linked to the recent $1.4 billion Bybit hack, $41 million hack of crypto casino Stake, and a $27 million hack of crypto exchange CoinEx, and countless others in the crypto industry.
The group was also initially linked to the $235 million hack of India crypto exchange WazirX in July 2024. But last month, the Delhi Police’s Intelligence Fusion and Strategic Operations (IFSO) division arrested a Bengal man and seized three laptops in connection with the exploit.
This new round of malware linked to Lazarus could also extract cryptocurrency data, stealing sensitive data from Solana and Exodus crypto wallets. The attack works by targeting files in Google Chrome, Brave and Firefox browsers, as well as keychain data on macOS, specifically targeting developers who might unknowingly install the packages.

We Now Know How Bybit Was Hacked for $1.4 Billion in Ethereum
Multiple independent audits have now pointed the finger at the cause of last week’s historic $1.4 billion Bybit hack—billed as the largest crypto hack of all time based on the value of the assets—and it wasn’t the crypto exchange at fault. Rather, analysts at Verichains and Sygnia Labs, two top cybersecurity firms, have determined that North Korean hackers managed to pull off the biggest hack in history by planting malicious code into the infrastructure of Safe—a crypto wallet provider used by B...
"Attributing this attack definitively to Lazarus or a sophisticated copycat remains challenging, as absolute attribution is inherently difficult," wrote Kirill Boychenko, threat intelligence analyst at Socket Security, in a blog post. "However, the tactics, techniques, and procedures (TTPs) observed in this npm attack closely align with Lazarus’s known operations, extensively documented by researchers from Unit42, eSentire, DataDog, Phylum, and others since 2022."
The six packages that have been identified are: is-buffer-validator, yoojae-validator, event-handle-package, array-empty-validator, react-event-dependency, and auth-validator. These work by using typosquatting, with misspelled names, to trick developers into installing them.
According to Boychenko: "The APT group created and maintained GitHub repositories for five of the malicious packages, lending an appearance of open source legitimacy and increasing the likelihood of the harmful code being integrated into developer workflows."

YouTubers Blackmailed Into Promoting Crypto Mining Malware: Kaspersky
Criminals are blackmailing YouTube creators into adding malicious crypto-mining malware to their videos, according to research from cybersecurity firm Kaspersky. The hackers have been taking advantage of the growth in Russia of Windows Packet Divert drivers, which enable internet users to circumvent geographic restrictions. Kaspersky’s systems have detected these drivers on 2.4 million devices over the past six months, with each successive month since September witnessing an increase in download...
The packages have been collectively downloaded over 330 times and, at time of publishing, The Socket Team has petitioned for their removal having reported the GitHub repositories and user accounts.
This type of technique has been used by Lazarusin the past, with a Bybit exchange heist valuing a loss of around $1.4 billion in Ethereum. About 20 percent of those stolen funds have become untraceable.
In a statement, Bybit CEO, Ben Zhou, said: "77% are still traceable, 20% have gone dark, 3% have been frozen."
Boychenko says: "The group’s tactics align with past campaigns leveraging multi-stage payloads to maintain long-term access, the cybersecurity experts note."
Edited by James Rubin.