Lazarus Hackers Launch New Attack via GitHub

North Korean hacker group Lazarus has released six infected npm packages on the GitHub platform, capable of stealing keys from cryptocurrency wallets, according to experts from Socket.

Experts noted that the perpetrators attempted to disguise the infected code as popular libraries frequently downloaded from the platform. The hackers hope developers will use the compromised files, thereby embedding malicious code into their products. Five of the packages were given dedicated repositories to lend credibility to the scheme.

Socket highlighted that the code can extract cryptocurrency data, specifically confidential information from Solana and Exodus wallets. The attack targets files from Google Chrome, Brave, and Firefox, as well as data from the Keychain storage in macOS.

“It is difficult to determine whether this attack is linked to Lazarus or an imitator. However, the tactics, techniques, and procedures (TTP) observed in this npm attack are closely associated with known Lazarus operations, thoroughly documented by researchers from Unit42, eSentire, DataDog, Phylum, and others since 2022,” wrote threat data analyst at Socket, Kirill Boychenko.

The problematic files have been downloaded over 330 times. Experts have urged the removal of the malicious repositories.

Earlier, Bybit urged ParaSwap DAO to return 44.67 wETH (~$100,000) earned from Lazarus transaction fees.