lazarusholic

2025-03-10, Socket
https://socket.dev/blog/lazarus-strikes-npm-again-with-a-new-wave-of-malicious-packages
#Lazarus #NPM

North Korea’s Lazarus Group continues to infiltrate the npm ecosystem, deploying six new malicious packages designed to compromise developer environments, steal credentials, extract cryptocurrency data, and deploy a backdoor. In this campaign, Socket researchers uncovered BeaverTail malware embedded within seemingly benign packages — is-buffer-validator
, yoojae-validator
, event-handle-package
, array-empty-validator
, react-event-dependency
, and auth-validator
— each closely mirroring tactics previously documented in Lazarus (Contagious Interview) operations. These findings align with the Socket Threat Research Team’s January 2025 report on the Lazarus APT group’s ongoing supply chain compromises.
The six new packages — collectively downloaded over 330 times — closely mimic the names of widely trusted libraries, employing a well-known typosquatting tactic used by Lazarus-linked threat actors to deceive developers. Additionally, the APT group created and maintained GitHub repositories for five of the malicious packages, lending an appearance of open source legitimacy and increasing the likelihood of the harmful code being integrated into developer workflows.
As of this …

http://172.86.84.38:1224/uploads
http://172.86.84.38:1224/pdown
http://172.86.84.38
http://172.86.84.38:1224/client/9/902
172.86.84.38
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
6a104f07ab6c5711b6bc8bf6ff956ab8cd597a388002a966e980c5ec9678b5b0