Michaela
The Lazarus Group, a cybercriminal organization suspected of having ties to the North Korean government, has reportedly intensified its attacks on the cryptocurrency sector, with a growing focus on targeting developers.
A recent investigation by the Socket Research Team has uncovered a series of attacks involving malicious npm packages designed to compromise developers’ systems. Over the past few months, researchers found that these packages were being manipulated to steal credentials, extract cryptocurrency wallet data, and establish persistent backdoors within development environments.
A subgroup of the Lazarus Group has infiltrated the npm repository, a widely used package manager for JavaScript developers. The attackers employed typosquatting tactics to distribute altered versions of well-known npm packages, tricking developers into downloading malicious software.
Among the compromised packages are is-buffer-validator, yoojae-validator, event-handle-package, array-empty-validator, react-event-dependency, and auth-validator. These packages were designed to execute harmful code upon installation, posing a significant threat to developers and organizations relying on open-source software.
Related: OpenAI Must Hand Over Millions of ChatGPT Logs in Copyright Case
“Additionally, the APT group created and maintained GitHub repositories for five of the malicious packages, lending an appearance of open source legitimacy and increasing the likelihood of the harmful code being integrated into developer workflows,” the Socket Team wrote.
Once installed, the malicious npm packages deploy BeaverTail malware, an advanced tool designed to harvest sensitive information. This malware can extract login credentials, scan browser files for stored passwords, and access cryptocurrency wallet data, targeting platforms such as Solana and Exodus.
The extracted data is then transmitted to a hardcoded command-and-control (C2) server, a tactic frequently used by the North Korean-linked hacking group to covertly funnel stolen information to its operators.
Bybit Hack Expands Lazarus Group Cybercrime Footprint
Socket’s report comes in the wake of a recent hacking incident allegedly linked to the Lazarus Group. The hacking group has reportedly orchestrated a major attack on cryptocurrency exchange Bybit in February 2025. The hackers reportedly infiltrated Bybit’s systems and stole approximately 400,000 Ethereum tokens, valued at around $1.5 billion.
Related: Sam Altman Eyes Rocket Company, Taking on Elon Musk’s SpaceX Ambitions
According to security experts, the stolen funds are likely being funneled into North Korea’s military and nuclear programs. While global authorities are working to track and recover the assets, reports indicate that the hackers have already laundered around $300 million, employing sophisticated tactics to obscure the transactions.
This breach adds to a growing pattern of cryptocurrency-related attacks attributed to the Lazarus Group, emphasizing the persistent threat posed by state-sponsored cybercriminals targeting the digital asset industry.
Read More
- Bybit Hack: Investigators Track 11K Wallets Linked to Lazarus Group
- Bybit Bounty: CEO Ben Zhou Targets Lazarus for $1.4B Crypto Heist
- Lazarus Group Levels Up with Fake Blockchain Game in Crypto Heist
MICHAELA
Michaela is a news writer focused on cryptocurrency and blockchain topics. She prioritizes rigorous research and accuracy to uncover interesting angles and ensure engaging reporting. A lifelong book lover, she applies her passion for reading to deeply explore the constantly evolving crypto world.
