CyberSecurity news
FlagThis
@socket.dev
//
The North Korean state-sponsored hacking group Lazarus has been identified as the source of a sophisticated supply chain attack that targets software developers. The group employed a malicious Node Package Manager (NPM) package named "postcss-optimizer" to deliver malware. This package deceptively mimics the widely used postcss libraries. Security researchers at Socket discovered the malicious package and linked it directly to Lazarus Group, noting its code-level similarities to previous campaigns. The "postcss-optimizer" package has been downloaded 477 times and serves as a vector for deploying BeaverTail malware.
Once installed, BeaverTail functions as both an infostealer and a malware loader. It is designed to compromise systems across Windows, macOS, and Linux. The malware's targets include browser cookies, credentials, and cryptocurrency wallet files. The information is exfiltrated to a command-and-control server. It is suspected to deliver secondary payloads such as InvisibleFerret, a known backdoor associated with Lazarus. The attackers used the deceptive npm registry alias "yolorabbit" to further confuse developers, who might have believed they were downloading legitimate software.
References :
Once installed, BeaverTail functions as both an infostealer and a malware loader. It is designed to compromise systems across Windows, macOS, and Linux. The malware's targets include browser cookies, credentials, and cryptocurrency wallet files. The information is exfiltrated to a command-and-control server. It is suspected to deliver secondary payloads such as InvisibleFerret, a known backdoor associated with Lazarus. The attackers used the deceptive npm registry alias "yolorabbit" to further confuse developers, who might have believed they were downloading legitimate software.
Share:
References :
- cyberpress.org: Lazarus Hackers Deploy Malicious NPM Packages on Software Developers Systems
- gbhackers.com: Lazarus Group Drop Malicious NPM Packages in Developers Systems Remotely
- socket.dev: Socket : This looks potentially related to SecurityScorecard's blog post about Lazarus Group (see parent toot above). A malicious npm package postcss-optimizer delivers BeaverTail malware, targeting developer systems. Socket researchers note that the package contains code linked to North Korean state-sponsored campaigns known as Contagious Interview. Indicators of compromise are shared. h/t:
- Cyber Security News: In a detailed investigation by Socket security researchers, a new malicious npm package, “postcss-optimizer,� has been linked to the notorious North Korean Advanced Persistent Threat (APT) group Lazarus.
- gbhackers.com: Lazarus Group Drop Malicious NPM Packages in Developers Systems Remotely
- : Socket : This looks potentially related to SecurityScorecard's blog post about Lazarus Group (see parent toot above). A malicious npm package postcss-optimizer delivers BeaverTail malware, targeting developer systems.
- mastodon.social: Socket : This looks potentially related to SecurityScorecard's blog post about Lazarus Group (see parent toot above). A malicious npm package postcss-optimizer delivers BeaverTail malware, targeting developer systems. Socket researchers note that the package contains code linked to North Korean state-sponsored campaigns known as Contagious Interview. Indicators of compromise are shared. h/t:
Classification:
- HashTags: #Lazarus #NPM #SupplyChainAttack
- Company: NPM
- Target: Software Developers
- Attacker: Lazarus
- Product: NPM packages
- Feature: malicious package
- Malware: BeaverTail
- Type: Malware
- Severity: Major