Lazarus Group has launched a new JavaScript malware called Marstech1, targeting developers in a series of highly focused attacks based on a recent report reveals.
The operation called Marstech Mayhem, began the attack in late 2024. The malware was delivered through an open-source GitHub repository under a profile with name “SuccessFriend.” This profile, active since July 2024, has since been removed.
Marstech1 collects system data and embeds itself in websites and NPM packages, posing a supply chain risk. Reports confirm there are 233 victims across the U.S., Europe, and Asia.
How the Attack Works
The malware specifically targets Chromium-based browsers across multiple operating systems (OS). It modifies extension settings, particularly those related to the MetaMask cryptocurrency wallet.
Infected systems may also download additional payloads from the attackers’ server. The malware is focuses on cryptocurrency wallets, such as Exodus and Atomic, the purpose is to stealing sensitive data before sending it to a command-and-control (C2) server.
Interestingly, researchers found two different malware versions—one stored in GitHub repositories and another served directly from the attacker’s server. This suggests active development and ongoing refinement.
North Korea’s Growing Cyber Threat
Organizations should vet open-source software carefully before use. Developers must scan NPM packages for malicious code and use strong endpoint security. Regular security audits and threat detection tools can also help identify suspicious activity before it escalates.
Furthermore, businesses should implement strict access controls to limit unauthorized system modifications. Keeping software and dependencies updated helps close security gaps. Educating employees on phishing tactics and social engineering threats can also reduce the risk of compromise.
How to Prevent Lazarus Attacks
Organizations should vet open-source software carefully before use. Developers must scan NPM packages for malicious code and use strong endpoint security. Regular security audits and threat detection tools can also help identify suspicious activity before it escalates.
Sleep well, we got you covered.
