Cybersecurity Alert: Lazarus Targets Developers with Malicious npm Packages

Attack Strategy: Infiltrating via GitHub

Lazarus employs a sophisticated method to infiltrate developer environments. The group creates and maintains GitHub repositories that host these malicious npm packages, giving them the appearance of legitimate open-source projects. This tactic increases the likelihood of developers inadvertently integrating harmful code into their workflows.

The six identified malicious packages are:

1. is-buffer-validator
2. yoojae-validator
3. event-handle-package
4. array-empty-validator
5. react-event-dependency
6. auth-validator

These packages mimic the names of widely-used libraries, employing a technique known as typosquatting to deceive developers into installing them.

Once these malicious packages are installed, they execute scripts that gather system environment details, including hostnames and operating systems. They systematically search browser profiles to locate and extract sensitive files, such as ‘Login Data’ from Chrome, Brave, and Firefox browsers, as well as keychain archives on macOS. Notably, these packages also target cryptocurrency wallets, specifically extracting ‘id.json’ from Solana and ‘exodus.wallet’ from Exodus wallets. The stolen data is then transmitted to command-and-control (C2) servers controlled by the attackers.

Attribution to Lazarus Group

Identifying the exact perpetrators behind cyberattacks is inherently challenging. However, the tactics, techniques, and procedures (TTPs) observed in this npm attack closely align with those previously documented in Lazarus operations. These include the use of similar obfuscation techniques, cross-platform targeting of Windows, macOS, and Linux systems, and the deployment of multi-stage payloads to maintain prolonged access to compromised systems.

Billions Stolen: Lazarus Groups Cyber Heists

Lazarus Group has orchestrated some of the most devastating cyber heists in history, targeting cryptocurrency exchanges, blockchain networks, and financial institutions. Over the past few years, the group has been responsible for stealing billions of dollars worth of digital assets. Here are some of their most significant attacks:

Bybit Exchange Hack (2025) – $1.4 Billion Stolen

One of the biggest crypto heists to date, the Bybit attack saw Lazarus exploit security vulnerabilities to steal around $1.4 billion in Ethereum. While some of the stolen funds remain traceable, a significant portion has disappeared into untraceable wallets.

WazirX Hack (2024) – $235 Million Stolen

Lazarus was initially suspected of orchestrating the $235 million hack on Indian crypto exchange WazirX in July 2024. However, later investigations led to the arrest of a suspect in India. The attack resulted in significant financial losses and heightened concerns about exchange security.

Stake.com Hack (2023) – $41 Million Stolen

The online gambling platform Stake.com was targeted in September 2023, with Lazarus reportedly draining $41 million from the site by exploiting security weaknesses.

Axie Infinity Ronin Network Hack (2022) – $620 Million Stolen

Lazarus used social engineering tactics to gain access to the private keys of Axie Infinitys Ronin Network, draining approximately $620 million worth of crypto. This remains one of the largest DeFi exploits in history.

From large-scale exchange hacks to supply chain attacks like the recent npm infiltration, Lazarus continues to refine its methods. Their ability to adapt and develop new tactics makes them one of the most persistent threats in the cybersecurity landscape. As their attacks grow in sophistication, individuals and businesses must remain vigilant against potential vulnerabilities.