CyberSecurity news

FlagThis - #npm

lucija.valentic@reversinglabs.com (Lucija@Blog (Main) //
ReversingLabs has identified a malicious npm package named "pdf-to-office" that targeted cryptocurrency users by injecting malicious code into locally installed Atomic Wallet and Exodus software. The package, posing as a utility for converting PDF files to Microsoft Office documents, actually overwrites existing, legitimate files within the crypto wallet installations. This allowed attackers to silently hijack crypto transfers by swapping out the intended destination address with one belonging to the malicious actor. The ReversingLabs team continues to track threat actors using a variety of techniques to hijack popular crypto packages.

This attack vector involved the malicious patching of local software, a technique that allows attackers to intercept cryptocurrency transfers without raising immediate suspicion. The "pdf-to-office" package targeted specific versions of both Atomic Wallet (2.91.5 and 2.90.6) and Exodus (25.13.3 and 25.9.2), ensuring that the correct Javascript files were overwritten. Once executed, the malicious code would check for the presence of the "atomic/resources/app.asar" archive for Atomic Wallet and "src/app/ui/index.js" for Exodus.

The compromised wallets would then channel crypto funds to the attacker's address, even if the "pdf-to-office" package was subsequently removed from the system. ReversingLabs' Spectra Assure platform flagged the package as suspicious due to its behaviors mirroring previous npm-based malware campaigns. The initial release was on March 24, 2025, before being removed. The latest version, 1.1.2, was uploaded on April 8 and remains available for download.

Recommended read:
References :
  • hackread.com: ReversingLabs reveals a malicious npm package targeting Atomic and Exodus wallets, silently hijacking crypto transfers via software patching.
  • Blog (Main): Threat actors have been targeting the cryptocurrency community hard lately.
  • secure.software: Atomic and Exodus crypto wallets targeted in malicious npm campaign
  • The Hacker News: Threat actors are continuing to upload malicious packages to the npm registry so as to tamper with already-installed local versions of legitimate libraries and execute malicious code in what's seen as a sneakier attempt to stage a software supply chain attack.
  • www.scworld.com: Atomic, Exodus wallets subjected to malicious npm package attack Attackers have been looking to compromise users of the Atomic and Exodus cryptocurrency wallets through the new pdf-to-office npm package spoofing a PDF to Microsoft Word document converter, The Hacker News reports.
  • gbhackers.com: Threat Actors Exploit Legitimate Crypto Packages to Deliver Malicious Code
  • gbhackers.com: Threat actors exploit legitimate crypto packages to deliver malicious code
  • hackread.com: npm Malware Targets Atomic and Exodus Wallets to Hijack Crypto Transfers

Ddos@Daily CyberSecurity //
North Korean Lazarus APT group has expanded its malicious activities within the npm ecosystem, deploying eleven new packages designed to deliver the BeaverTail malware and a new remote access trojan (RAT) loader. These malicious packages have been downloaded over 5,600 times before their removal, posing a significant risk to developer systems. The threat actors are utilizing previously identified aliases, as well as newly created accounts, to distribute these packages.

The campaign, dubbed "Contagious Interview," aims to compromise developer systems, steal sensitive credentials or financial assets, and maintain access to compromised environments. To evade detection, the attackers are employing hexadecimal string encoding and other obfuscation techniques. Some of the packages, such as "events-utils" and "icloud-cod," are linked to Bitbucket repositories, while others use command-and-control (C2) addresses previously associated with Lazarus Group campaigns, indicating the scale and coordination of this operation.

Cybersecurity researchers are urging developers to be vigilant and carefully review all dependencies before installing them. The North Korean threat actors continue to create new npm accounts and deploy malicious code across platforms like the npm registry, GitHub, and Bitbucket, demonstrating their persistence and showing no signs of slowing down. This campaign highlights the increasing sophistication of supply chain attacks and the need for robust security measures to protect against such threats.

Recommended read:
References :
  • Security Risk Advisors: Socket Research Team's report
  • The Hacker News: North Korean Hackers Deploy BeaverTail Malware via 11 Malicious npm Packages
  • ciso2ciso.com: North Korean Hackers Deploy BeaverTail Malware via 11 Malicious npm Packages – Source:thehackernews.com
  • Talkback Resources: North Korean Hackers Deploy BeaverTail Malware via 11 Malicious npm Packages [net] [mal]
  • securityonline.info: Lazarus Group Expands Malicious Campaign on npm, Targets Developers with New Malware
  • securityonline.info: Lazarus Group Expands Malicious Campaign on npm, Targets Developers with New Malware
  • www.scworld.com: Malicious npm packages, BeaverTail malware leveraged in new North Korean attacks
  • Cyber Security News: North Korean cyber threat actors, Lazarus Group, have escalated their supply chain attack tactics by introducing a series of malicious npm (Node Package Manager) packages.
  • cyberpress.org: North Korean cyber threat actors, Lazarus Group, have escalated their supply chain attack tactics by introducing a series of malicious npm (Node Package Manager) packages. Utilizing sophisticated hexadecimal encoding to camouflage their code and evade detection systems, the group aims to compromise developer systems, steal sensitive credentials, and maintain persistent access to targeted environments.
  • Chris Wysopal: Infosec.Exchange post on new supply chain NPM package malware attacks found.

lucija.valentic@reversinglabs.com (Lucija@Blog (Main) //
References: , Blog (Main) , hackread.com ...
A new malware campaign has been discovered targeting developers through malicious npm packages. Researchers at ReversingLabs identified two packages, ethers-provider2 and ethers-providerz, designed to inject reverse shells into locally installed instances of the popular 'ethers' library. This allows attackers to gain remote access to compromised systems. The attack cleverly hides its malicious payload, modifying legitimate files to ensure persistence even after the initial packages are removed.

This campaign showcases a sophisticated approach to software supply chain attacks. The malicious packages act as downloaders, patching the 'ethers' library with a reverse shell. Once 'ethers' is reinstalled, the modifications are reintroduced, granting attackers continued access. ReversingLabs detected the threat using their Spectra platform and have developed a YARA rule to identify compromised systems. While ethers-providerz has been removed, ethers-provider2 remains available, posing a substantial risk, especially if such tactics are deployed against more popular npm packages in the future.

Recommended read:
References :
  • : Malicious npm Packages Deliver Sophisticated Reverse Shells
  • Blog (Main): Malware found on npm infecting local package with reverse shell
  • thehackernews.com: Malicious npm Package Modifies Local 'ethers' Library to Launch Reverse Shell Attacks
  • hackread.com: New npm Malware Attack Infects Popular Ethereum Library with Backdoor
  • www.bleepingcomputer.com: Two malicious packages were discovered on npm (Node package manager) that covertly patch legitimate, locally installed packages to inject a persistent reverse shell backdoor.
  • The DefendOps Diaries: Explore a sophisticated npm attack revealing software supply chain vulnerabilities and the need for enhanced security measures.
  • Datadog Security Labs: Introducing Supply-Chain Firewall: Protecting Developers from Malicious Open Source Packages
  • www.csoonline.com: Malicious npm packages found to create a backdoor in legitimate code
  • BleepingComputer: Infostealer campaign compromises 10 npm packages, targets devs
  • www.scworld.com: reports on NPM related infostealer campaigns
  • securityonline.info: A recent report by ReversingLabs (RL) has uncovered malicious packages on the npm repository that employ sophisticated techniques
  • www.techradar.com: Malicious npm packages use devious backdoors to target users

SC Staff@scmagazine.com //
The Lazarus Group, a North Korean APT, is actively targeting developers through the npm ecosystem by publishing malicious packages. These packages are designed to compromise developer environments, steal credentials, extract cryptocurrency data, and deploy backdoors. The attackers use typosquatting, mimicking legitimate library names to deceive developers into downloading the compromised versions. The packages contain BeaverTail malware and the InvisibleFerret backdoor and exhibit identical obfuscation techniques, cross-platform targeting, and command-and-control mechanisms consistent with previous Lazarus campaigns.

Six malicious npm packages have been identified, including postcss-optimizer, is-buffer-validator, yoojae-validator, event-handle-package, array-empty-validator, and react-event-dependency. These packages have been collectively downloaded over 330 times and contain the BeaverTail malware, which functions as both an infostealer and a loader designed to steal login credentials, exfiltrate sensitive data, and deploy backdoors in compromised systems. The Lazarus Group also maintained GitHub repositories for five of the malicious packages, lending an appearance of open source legitimacy.

Recommended read:
References :
  • The DefendOps Diaries: Lazarus Group's Latest Supply Chain Attacks on Developers
  • BleepingComputer: North Korean Lazarus hackers infect hundreds via npm packages
  • bsky.app: Reports on the six malicious npm packages linked to the Lazarus Group.
  • The Hacker News: The Lazarus Group, a North Korean APT, is actively targeting the npm ecosystem by publishing malicious packages that closely mimic legitimate libraries, deceiving developers into incorporating harmful code into their projects.
  • socket.dev: North Korea’s Lazarus Group continues to infiltrate the npm ecosystem, deploying six new malicious packages designed to compromise developer environments, steal credentials, extract cryptocurrency data, and deploy a backdoor.
  • securityaffairs.com: Lazarus Strikes npm Again with New Wave of Malicious Packages
  • hackread.com: Lazarus Group Hid Backdoor in Fake npm Packages in Latest Attack
  • Threats | CyberScoop: Lazarus Group deceives developers with 6 new malicious npm packages
  • www.scworld.com: Malware spread by Lazarus Group via counterfeit npm packages
  • securityonline.info: Typosquatting & Backdoors: Lazarus’ Latest npm Campaign
  • BleepingComputer: Six malicious packages have been identified on npm (Node package manager) linked to the notorious North Korean hacking group Lazarus.
  • Security Risk Advisors: The Lazarus Group, North Korea’s notorious state-backed cyber threat actor, has infiltrated the npm ecosystem once again, deploying
  • Security Risk Advisors: Lazarus Group Deploys Malicious npm Packages to Target Developers and Exfiltrate Data
  • securityonline.info: The notorious North Korean threat actor Lazarus Group has been identified breaching Windows web servers to establish command-and-control The post appeared first on .
  • Datadog Security Labs: Stressed Pungsan: DPRK-aligned threat actor leverages npm for initial access

@socket.dev //
The North Korean state-sponsored hacking group Lazarus has been identified as the source of a sophisticated supply chain attack that targets software developers. The group employed a malicious Node Package Manager (NPM) package named "postcss-optimizer" to deliver malware. This package deceptively mimics the widely used postcss libraries. Security researchers at Socket discovered the malicious package and linked it directly to Lazarus Group, noting its code-level similarities to previous campaigns. The "postcss-optimizer" package has been downloaded 477 times and serves as a vector for deploying BeaverTail malware.

Once installed, BeaverTail functions as both an infostealer and a malware loader. It is designed to compromise systems across Windows, macOS, and Linux. The malware's targets include browser cookies, credentials, and cryptocurrency wallet files. The information is exfiltrated to a command-and-control server. It is suspected to deliver secondary payloads such as InvisibleFerret, a known backdoor associated with Lazarus. The attackers used the deceptive npm registry alias "yolorabbit" to further confuse developers, who might have believed they were downloading legitimate software.

Recommended read:
References :
  • cyberpress.org: Lazarus Hackers Deploy Malicious NPM Packages on Software Developers Systems
  • gbhackers.com: Lazarus Group Drop Malicious NPM Packages in Developers Systems Remotely
  • socket.dev: Socket : This looks potentially related to SecurityScorecard's blog post about Lazarus Group (see parent toot above). A malicious npm package postcss-optimizer delivers BeaverTail malware, targeting developer systems. Socket researchers note that the package contains code linked to North Korean state-sponsored campaigns known as Contagious Interview. Indicators of compromise are shared. h/t:
  • Cyber Security News: In a detailed investigation by Socket security researchers, a new malicious npm package, “postcss-optimizer,â€� has been linked to the notorious North Korean Advanced Persistent Threat (APT) group Lazarus.
  • gbhackers.com: Lazarus Group Drop Malicious NPM Packages in Developers Systems Remotely
  • : Socket : This looks potentially related to SecurityScorecard's blog post about Lazarus Group (see parent toot above). A malicious npm package postcss-optimizer delivers BeaverTail malware, targeting developer systems.
  • mastodon.social: Socket : This looks potentially related to SecurityScorecard's blog post about Lazarus Group (see parent toot above). A malicious npm package postcss-optimizer delivers BeaverTail malware, targeting developer systems. Socket researchers note that the package contains code linked to North Korean state-sponsored campaigns known as Contagious Interview. Indicators of compromise are shared. h/t: