Lazarus Group NPM Malware Targets JavaScript Developers

Figure 1: Visual representation of the BeyondTrust vulnerability chain

Socket's research team published findings on March 11, 2025 detailing the discovery of six new malicious npm packages. The packages had been uploaded to the npm registry at various points prior to detection, with Lazarus Group creating and maintaining GitHub repositories for five of the six packages to lend an appearance of open source legitimacy.

On March 12, 2025, GitHub confirmed removal of all six packages from npm. A GitHub spokesperson stated that the malicious packages were removed on Wednesday following Socket's disclosure.

The naming scheme applied to the malicious packages suggests awareness of previous security research. One package in particular, is-buffer-validator, resembles the legitimate is-buffer module first authored by Socket CEO Feross Aboukhadijeh in 2015. The legitimate is-buffer package has been downloaded over 134 million times, making it an attractive target for typosquatting attacks.

Socket researchers attributed the packages to Lazarus Group based on technical indicators matching previous campaigns. The malicious code embedded into the packages mirrors techniques observed in prior Lazarus operations, including self-invoking functions, dynamic function constructors, and array shifting to obscure the packages' functionality.

The packages contained BeaverTail malware, a payload previously associated with Lazarus Group operations. According to Socket's analysis, BeaverTail enables multi-stage payload delivery and persistence mechanisms for long-term access to compromised systems.

The malware collects system environment details and extracts sensitive login files and keychain archives from infected machines. Cryptocurrency wallet targeting focuses on extracting id.json from Solana wallets and exodus.wallet from Exodus installations. Extracted data is uploaded to a hardcoded command-and-control server, echoing documented Lazarus Group tactics for harvesting and transmitting stolen data.

Figure 2: How the authentication bypass vulnerability works

The rapid detection and removal of the malicious packages demonstrates the value of automated supply chain security scanning. Socket's detection occurred before the packages achieved widespread adoption, limiting the total download count to approximately 330 installations.

Security researchers and npm users benefit from public disclosure of attack patterns. Documentation of Lazarus Group's typosquatting tactics and technical indicators enables defenders to implement detection rules and audit existing dependencies for similar patterns.

The incident reinforces the importance of dependency verification practices. Organizations that implement package allowlists, checksum verification, and automated security scanning reduce exposure to supply chain attacks.

The 330 downloads represent potential compromises across developer workstations and build environments. Affected developers face credential theft, cryptocurrency wallet compromise, and potential persistent access through backdoor installation.

Detection occurred after the packages had been available on npm for an undisclosed period. The gap between publication and detection represents a window of vulnerability during which developers could unknowingly install malicious code.

Typosquatting attacks exploit human error during package installation. Even security-conscious developers can inadvertently install malicious packages when typing package names manually or copying from untrusted sources.

The creation of GitHub repositories for five of the six packages demonstrates sophisticated social engineering. Developers who reviewed the packages' GitHub presence would have found repositories lending false legitimacy to the malicious code.

Figure 3: Privilege escalation from user to SYSTEM level

BeaverTail malware operates as a multi-stage payload delivery system. Upon installation of an infected npm package, the malware executes through obfuscated JavaScript code that evades static analysis through techniques including self-invoking functions and dynamic function construction.

The initial payload collects system environment information and establishes persistence mechanisms. Subsequent stages extract sensitive data including login credentials, keychain archives, and cryptocurrency wallet files.

For cryptocurrency targeting, the malware searches for specific file paths associated with popular wallet applications. Solana wallet data stored in id.json files and Exodus wallet data in exodus.wallet directories are extracted and transmitted to attacker-controlled infrastructure.

Array shifting techniques obscure the malware's functionality by dynamically reordering code execution paths. Combined with dynamic function constructors, these obfuscation methods complicate reverse engineering and automated detection.

Technical context (optional): The InvisibleFerret backdoor component, referenced in some analyses of Lazarus npm campaigns, provides persistent remote access capabilities. The backdoor enables attackers to maintain access to compromised systems beyond the initial infection vector.

The npm ecosystem serves as a critical dependency source for JavaScript and TypeScript applications across web development, server-side Node.js deployments, and increasingly, desktop and mobile applications built with frameworks like Electron and React Native. Supply chain attacks targeting npm affect a broad cross-section of the software industry.

Lazarus Group's continued targeting of developer tools and package registries reflects a strategic focus on high-value targets. Compromising developer workstations provides access to source code repositories, deployment credentials, and internal systems.

The cryptocurrency targeting component aligns with documented North Korean state objectives. Multiple government agencies have attributed cryptocurrency theft operations to Lazarus Group as a mechanism for sanctions evasion and revenue generation.

Package registry operators face ongoing challenges in detecting malicious uploads. The volume of packages published to npm daily makes comprehensive manual review impractical, placing emphasis on automated detection and community reporting.

The exact publication dates for each of the six malicious packages have not been publicly disclosed. The duration of exposure between package publication and removal affects the scope of potential compromise.

The number of unique developers or organizations affected by the 330 downloads remains unknown. Download counts do not directly correlate to compromises, as some downloads may represent automated systems, security researchers, or failed installations.

Whether any cryptocurrency theft resulted from the campaign has not been confirmed. The presence of wallet-targeting functionality indicates intent, but successful exfiltration and subsequent theft would require additional steps beyond initial compromise.

The specific command-and-control infrastructure used in this campaign has not been publicly detailed. Attribution to Lazarus Group relies on technical indicators and pattern matching rather than infrastructure analysis.

npm and GitHub security teams continue monitoring for additional malicious packages using similar techniques. Developers should audit dependencies for any of the six identified package names and review installation logs for the affected period.

Security vendors are expected to update detection signatures based on the disclosed technical indicators. Organizations using automated dependency scanning should verify their tools incorporate the latest threat intelligence.

The broader pattern of state-sponsored supply chain attacks targeting developer ecosystems shows no signs of abating. Similar campaigns targeting PyPI, RubyGems, and other package registries have been documented in parallel with npm-focused operations.

Developers who installed any of the six packages should conduct forensic analysis of affected systems, rotate credentials, and verify cryptocurrency wallet integrity. The persistence mechanisms deployed by BeaverTail may survive package removal.

1. Socket Research Blog, "Lazarus Strikes npm Again with New Wave of Malicious Packages," March 11, 2025. https://socket.dev/blog/lazarus-strikes-npm-again-with-a-new-wave-of-malicious-packages

2. BleepingComputer, "North Korean Lazarus hackers infect hundreds via npm packages," March 11, 2025. https://www.bleepingcomputer.com/news/security/north-korean-lazarus-hackers-infect-hundreds-via-npm-packages/

3. CyberScoop, "Lazarus Group deceives developers with 6 new malicious npm packages," March 12, 2025. https://cyberscoop.com/lazarus-group-north-korea-malicious-npm-packages-socket/

4. Hackread, "Lazarus Group Backdoor Fake npm Packages Attack," March 12, 2025. https://hackread.com/lazarus-group-backdoor-fake-npm-packages-attack/