lazarusholic

Everyday is lazarus.dayβ

North Korean APT Lazarus Targets Developers with Malicious npm Package

2025-01-29, Socket
https://socket.dev/blog/north-korean-apt-lazarus-targets-developers-with-malicious-npm-package
#Lazarus #NPM

Contents

Security News
PyPI’s New Archival Feature Closes a Major Security Gap
PyPI now allows maintainers to archive projects, improving security and helping users make informed decisions about their dependencies.
Research
Security News
Kirill Boychenko
Peter van der Zee
January 29, 2025
Socket researchers have discovered the malicious npm package postcss-optimizer
, which contains code linked to previously documented campaigns conducted by North Korean state-sponsored threat actors known as Contagious Interview, a subgroup within the broader Lazarus Advanced Persistent Threat (APT) group.
The malicious package, which has been downloaded 477 times, contains the BeaverTail malware, functioning as both an infostealer and a loader. As a malware loader, the BeaverTail is designed to deploy and execute a second-stage payload, which is likely the InvisibleFerret backdoor based on code similarities and a broader strategy employed by the Democratic People’s Republic of Korea (DPRK).
By impersonating the legitimate postcss
library, which has over 16 billion downloads, the threat actor aims to infect developers’ systems with credential-stealing …

IoC

http://91.92.120.132:80/pdown
http://91.92.120.132:80/client/
http://91.92.120.132:80/uploads
91.92.120.132
[email protected]