CyberSecurity news

FlagThis - #developers

SC Staff@scmagazine.com //

Lazarus Group Strikes NPM with Malicious Packages

The Lazarus Group, a North Korean APT, is actively targeting developers through the npm ecosystem by publishing malicious packages. These packages are designed to compromise developer environments, steal credentials, extract cryptocurrency data, and deploy backdoors. The attackers use typosquatting, mimicking legitimate library names to deceive developers into downloading the compromised versions. The packages contain BeaverTail malware and the InvisibleFerret backdoor and exhibit identical obfuscation techniques, cross-platform targeting, and command-and-control mechanisms consistent with previous Lazarus campaigns.

Six malicious npm packages have been identified, including postcss-optimizer, is-buffer-validator, yoojae-validator, event-handle-package, array-empty-validator, and react-event-dependency. These packages have been collectively downloaded over 330 times and contain the BeaverTail malware, which functions as both an infostealer and a loader designed to steal login credentials, exfiltrate sensitive data, and deploy backdoors in compromised systems. The Lazarus Group also maintained GitHub repositories for five of the malicious packages, lending an appearance of open source legitimacy.

Share: bluesky twitterx--v2 facebook--v1 threads


References :
  • The DefendOps Diaries: Lazarus Group's Latest Supply Chain Attacks on Developers
  • BleepingComputer: North Korean Lazarus hackers infect hundreds via npm packages
  • bsky.app: Reports on the six malicious npm packages linked to the Lazarus Group.
  • The Hacker News: The Lazarus Group, a North Korean APT, is actively targeting the npm ecosystem by publishing malicious packages that closely mimic legitimate libraries, deceiving developers into incorporating harmful code into their projects.
  • socket.dev: North Korea’s Lazarus Group continues to infiltrate the npm ecosystem, deploying six new malicious packages designed to compromise developer environments, steal credentials, extract cryptocurrency data, and deploy a backdoor.
  • securityaffairs.com: Lazarus Strikes npm Again with New Wave of Malicious Packages
  • hackread.com: Lazarus Group Hid Backdoor in Fake npm Packages in Latest Attack
  • Threats | CyberScoop: Lazarus Group deceives developers with 6 new malicious npm packages
  • www.scworld.com: Malware spread by Lazarus Group via counterfeit npm packages
  • securityonline.info: Typosquatting & Backdoors: Lazarus’ Latest npm Campaign
Classification:
@Talkback Resources //

WordPress Sites Vulnerable to Script Injection, PyPI Package Pirating Music

Millions of WordPress websites face potential script injection attacks due to a critical vulnerability found in the Essential Addons for Elementor plugin, which is installed on over 2 million sites. The flaw, identified as CVE-2025-24752 with a high severity score of 7.1, allows attackers to execute reflected cross-site scripting (XSS) attacks. This is achieved by exploiting insufficient input sanitization within the plugin's password reset functionality, specifically through malicious URL parameters.

A fake WordPress plugin has also been discovered injecting casino spam, impacting website SEO. In a separate incident, cybersecurity researchers have flagged a malicious Python library on the PyPI repository, named 'automslc', which facilitates over 100,000 unauthorized music downloads from Deezer. The package bypasses Deezer's API restrictions by embedding hardcoded credentials and communicating with an external command-and-control server, effectively turning user systems into a botnet for music piracy.

Share: bluesky twitterx--v2 facebook--v1 threads


References :
  • bsky.app: Socket Security has discovered a malicious PyPI package that created a botnet to pirate songs from music streaming service Deezer The package was named automslc and had been downloaded over 100,000 since its release in 2019
  • BleepingComputer: A malicious PyPi package named 'automslc'  has been downloaded over 100,000 times from the Python Package Index since 2019, abusing hard-coded credentials to pirate music from the Deezer streaming service.
  • Talkback Resources: Malicious PyPI Package "automslc" Enables 104K+ Unauthorized Deezer Music Downloads [app] [mal]
  • socket.dev: Malicious PyPI Package Exploits Deezer API for Coordinated Music Piracy
  • bsky.app: A malicious PyPi package named 'automslc'  has been downloaded over 100,000 times from the Python Package Index since 2019, abusing hard-coded credentials to pirate music from the Deezer streaming service.
  • The Hacker News: Malicious PyPI Package "automslc" Enables 104K+ Unauthorized Deezer Music Downloads
  • Sucuri Blog: Injecting malware via a fake WordPress plugin has been a common tactic of attackers for some time. This clever method is often used to bypass detection as attackers exploit the fact that plugins are not part of the core files of a WordPress site, making integrity checks more difficult.
  • gbhackers.com: A critical security vulnerability in the Essential Addons for Elementor plugin, installed on over 2 million WordPress websites, has exposed sites to script injection attacks via malicious URL parameters. The flaw, tracked as CVE-2025-24752 and scoring 7.1 (High) on the CVSS scale, allowed attackers to execute reflected cross-site scripting (XSS) attacks by exploiting insufficient input sanitization in the plugin’s password reset
  • bsky.app: Microsoft has removed two popular VSCode extensions, 'Material Theme - Free' and  'Material Theme Icons - Free,' from the Visual Studio Marketplace for allegedly containing malicious code.
  • gbhackers.com: VS Code Extension with 9 Million Installs Attacks Developers with Malicious Code
  • aboutdfir.com: VSCode extensions with 9 million installs pulled over security risks
  • bsky.app: Microsoft has removed two VSCode theme extensions from the VSCode Marketplace for containing malicious code.
  • Techzine Global: Visual Studio Code extensions with 9 million downloads removed for security risks
Classification:
  • HashTags: #WordPress #XSS #PluginVulnerability
  • Company: WordPress
  • Target: WordPress websites, Deezer
  • Product: WordPress
  • Feature: Script Injection
  • Malware: automslc
  • Type: Bug
  • Severity: Major
@socket.dev //

Lazarus Group Uses Malicious NPM Packages

The North Korean state-sponsored hacking group Lazarus has been identified as the source of a sophisticated supply chain attack that targets software developers. The group employed a malicious Node Package Manager (NPM) package named "postcss-optimizer" to deliver malware. This package deceptively mimics the widely used postcss libraries. Security researchers at Socket discovered the malicious package and linked it directly to Lazarus Group, noting its code-level similarities to previous campaigns. The "postcss-optimizer" package has been downloaded 477 times and serves as a vector for deploying BeaverTail malware.

Once installed, BeaverTail functions as both an infostealer and a malware loader. It is designed to compromise systems across Windows, macOS, and Linux. The malware's targets include browser cookies, credentials, and cryptocurrency wallet files. The information is exfiltrated to a command-and-control server. It is suspected to deliver secondary payloads such as InvisibleFerret, a known backdoor associated with Lazarus. The attackers used the deceptive npm registry alias "yolorabbit" to further confuse developers, who might have believed they were downloading legitimate software.

Share: bluesky twitterx--v2 facebook--v1 threads


References :
  • cyberpress.org: Lazarus Hackers Deploy Malicious NPM Packages on Software Developers Systems
  • gbhackers.com: Lazarus Group Drop Malicious NPM Packages in Developers Systems Remotely
  • socket.dev: Socket : This looks potentially related to SecurityScorecard's blog post about Lazarus Group (see parent toot above). A malicious npm package postcss-optimizer delivers BeaverTail malware, targeting developer systems. Socket researchers note that the package contains code linked to North Korean state-sponsored campaigns known as Contagious Interview. Indicators of compromise are shared. h/t:
  • Cyber Security News: In a detailed investigation by Socket security researchers, a new malicious npm package, “postcss-optimizer,â€� has been linked to the notorious North Korean Advanced Persistent Threat (APT) group Lazarus.
  • gbhackers.com: Lazarus Group Drop Malicious NPM Packages in Developers Systems Remotely
  • : Socket : This looks potentially related to SecurityScorecard's blog post about Lazarus Group (see parent toot above). A malicious npm package postcss-optimizer delivers BeaverTail malware, targeting developer systems.
  • mastodon.social: Socket : This looks potentially related to SecurityScorecard's blog post about Lazarus Group (see parent toot above). A malicious npm package postcss-optimizer delivers BeaverTail malware, targeting developer systems. Socket researchers note that the package contains code linked to North Korean state-sponsored campaigns known as Contagious Interview. Indicators of compromise are shared. h/t:
Classification:

Blogs

Research Tools