North Korean hacker group Lazarus has published six infected npm packages on GitHub, capable of stealing cryptocurrency wallet keys, according to cybersecurity firm Socket.
Experts say the attackers disguised the malicious code as popular libraries frequently downloaded from the platform. Their goal is to trick developers into using compromised files, embedding malware into their projects. To make the attack more convincing, five of the packages were given dedicated repositories.
Socket researchers noted that the code can extract cryptocurrency-related data, including confidential wallet information from Solana and Exodus. The malware targets Google Chrome, Brave, Firefox, and the Keychain storage in macOS.
“It’s difficult to determine whether this attack is directly linked to Lazarus or an impersonator. However, the tactics, techniques, and procedures (TTPs) observed in this npm attack closely match those documented by Unit42, eSentire, DataDog, Phylum, and others since 2022,” said Socket threat intelligence analyst Kirill Boychenko.
The infected files have been downloaded over 330 times, and security experts urge users to delete the malicious repositories.
Previously, Bybit called on the ParaSwap DAO to return 44.67 wETH (~$100,000) earned in transaction fees linked to Lazarus.
Cryptol – your source for the latest news on cryptocurrencies, information technology, and decentralized solutions. Stay informed about the latest trends in the digital world.