Cybersecurity researchers uncovered a clever supply-chain attack. North Korea-linked Lazarus Group plants malicious packages in npm and PyPI. They trick developers with fake blockchain job offers.
Fake Recruitment Tactics
Attackers create a phony company called Veltrix Capital. They focus on blockchain and cryptocurrency trading. Recruiters contact people on LinkedIn, Facebook, and Reddit. They offer coding tests with Python and JavaScript projects.
The projects look normal at first. However, they pull in poisoned dependencies. Victims run the code during assessments. Therefore, malicious packages install quietly on their machines.
Poisoned Package Examples
Many packages mimic useful math or graph libraries. On npm, examples include graphalgo, bigmathutils, and graphflux. PyPI versions feature graphalgo, bigmathex, and bigmathix. One package, bigmathutils, gained over 10,000 downloads before turning malicious. Attackers update versions carefully. They start clean, then add payloads later. This builds trust slowly. Consequently, more developers download the bad code.
The packages deliver a remote access trojan. The RAT connects to an external server. It fetches and runs commands periodically. Commands include listing files, gathering system info, and uploading data.
The trojan checks for MetaMask extensions. This hints at cryptocurrency theft goals. It enumerates processes and handles file operations too. Attackers maintain control over infected systems.
Token-Based C2 Protection
Communication uses a smart token system. The package registers and receives a token. Later requests include this token for access. Researchers saw this method in earlier Lazarus campaigns.
Only registered systems communicate successfully. This blocks outsiders from interfering. Therefore, the C2 stays secure and reliable.
Signs of Sophisticated Work
The campaign shows high skill and patience. It uses modularity and encryption layers. Attackers build trust across many elements. This points to state-sponsored effort.
The operation runs since May 2025. It combines social engineering with open-source poisoning. Consequently, developers face serious risks from trusted ecosystems.
Additional Malicious npm Activity
Separate findings revealed more bad packages. One pretends to improve console visibility but steals browser data. It grabs Discord tokens, passwords, and crypto wallets. Data flows to webhooks and file hosts.
Another campaign blocks npm installs until payment. It demands small crypto amounts via HTTP 402 errors. Victims waste time or pay attackers. This highlights growing abuse of package registries.
Prevention Strategies
Developers and teams can stay safe with strong habits. First, scan dependencies carefully before installation. Verify package history and publisher details. Moreover, use continuous monitoring to detect odd network calls, unexpected file access, or unusual process behavior early.
Isolate test environments and limit package permissions. These steps cut the success of poisoned packages and RAT infections significantly.
Sleep well, we got you covered.
