Michaela
The Lazarus Group, a cybercriminal organization suspected of having ties to the North Korean government, has reportedly intensified its attacks on the cryptocurrency sector, with a growing focus on targeting developers.
A recent investigation by the Socket Research Team has uncovered a series of attacks involving malicious npm packages designed to compromise developers’ systems. Over the past few months, researchers found that these packages were being manipulated to steal credentials, extract cryptocurrency wallet data, and establish persistent backdoors within development environments.
A subgroup of the Lazarus Group has infiltrated the npm repository, a widely used package manager for JavaScript developers. The attackers employed typosquatting tactics to distribute altered versions of well-known npm packages, tricking developers into downloading malicious software.
Among the compromised packages are is-buffer-validator, yoojae-validator, event-handle-package, array-empty-validator, react-event-dependency, and auth-validator. These packages were designed to execute harmful code upon installation, posing a significant threat to developers and organizations relying on open-source software.
“Additionally, the APT group created and maintained GitHub repositories for five of the malicious packages, lending an appearance of open source legitimacy and increasing the likelihood of the harmful code being integrated into developer workflows,” the Socket Team wrote.
Once installed, the malicious npm packages deploy BeaverTail malware, an advanced tool designed to harvest sensitive information. This malware can extract login credentials, scan browser files for stored passwords, and access cryptocurrency wallet data, targeting platforms such as Solana and Exodus.
The extracted data is then transmitted to a hardcoded command-and-control (C2) server, a tactic frequently used by the North Korean-linked hacking group to covertly funnel stolen information to its operators.
Bybit Hack Expands Lazarus Group Cybercrime Footprint
Socket’s report comes in the wake of a recent hacking incident allegedly linked to the Lazarus Group. The hacking group has reportedly orchestrated a major attack on cryptocurrency exchange Bybit in February 2025. The hackers reportedly infiltrated Bybit’s systems and stole approximately 400,000 Ethereum tokens, valued at around $1.5 billion.
According to security experts, the stolen funds are likely being funneled into North Korea’s military and nuclear programs. While global authorities are working to track and recover the assets, reports indicate that the hackers have already laundered around $300 million, employing sophisticated tactics to obscure the transactions.
This breach adds to a growing pattern of cryptocurrency-related attacks attributed to the Lazarus Group, emphasizing the persistent threat posed by state-sponsored cybercriminals targeting the digital asset industry.
Read More
- Bybit Hack: Investigators Track 11K Wallets Linked to Lazarus Group
- Bybit Bounty: CEO Ben Zhou Targets Lazarus for $1.4B Crypto Heist
- Lazarus Group Levels Up with Fake Blockchain Game in Crypto Heist
Michaela has no crypto positions and does not hold any crypto assets. This article is provided for informational purposes only and should not be construed as financial advice. The Shib Magazine and The Shib Daily are the official media and publications of the Shiba Inu cryptocurrency project. Readers are encouraged to conduct their own research and consult with a qualified financial adviser before making any investment decisions.
