According to Decrypt, the Socket research team has discovered in a new attack that the North Korean hacker group Lazarus is linked to six new malicious npm packages that attempt to deploy backdoors to steal user credentials. In addition, these malicious software can also extract cryptocurrency data and steal sensitive information from Solana and Exodus encrypted wallets. The attack mainly targets files in Google Chrome, Brave, and Firefox browsers, as well as keychain data in macOS, specifically designed to trick developers into unintentionally installing these malicious software packages. The six malicious software packages discovered this time include: is-buffer-validator、yoojae-validator、event-handle-package、array-empty-validator、react-event-dependency And auth validator. They lure developers into installing through 'typosquatting' (using misspelled names). The APT organization created and maintained GitHub repositories for five of the software packages, disguised as legitimate open source projects, increasing the risk of malicious code being used by developers. These software packages have been downloaded over 330 times. At present, the Socket team has requested the removal of these software packages and reported the relevant GitHub repositories and user accounts. Lazarus is a notorious North Korean hacker group, associated with the recent $1.4 billion Bybit hack, $41 million Stake hack, $27 million CoinEx hack, and countless other attacks in the cryptocurrency industry.
