North Korea's Lazarus Deploys Malicious NPM Packages to Steal Data
April 7, 2025 By Prajeet Nair
North Korea's Lazarus Group expanded a cyber attack campaign of uploading malicious code to the JavaScript runtime environment NPM repository, publishing 11 new packages embedded with Trojan loaders.
Researchers from security firm Socket said Friday that it identified 11 malicious packages in the repository - a hotspot for supply chain attacks - that deliver the "BeaverTail" infostealer (see: Breach Roundup: Malicious NPM Packages Maintain Persistence Even if Initial Malware Is Uninstalled#NPM).
BeaverTail targets browser data, macOS keychain and cryptocurrency wallets. It includes functionality to extract private keys from the Solana blockchain id.json file. North Korean hackers uniquely pillage blockchains for their government, which uses stolen crypto to obtain hard currency and fund weapons of mass destruction.
