Lazarus Group deceives developers with 6 new malicious npm packages | CyberScoop<\/title> <meta name=\"description\" content=\"Socket researchers said the malware-ridden packages were collectively downloaded over 330 times. GitHub removed all of the malicious packages Wednesday.\"> <link rel=\"canonical\" href=\"https:\/\/cyberscoop.com\/lazarus-group-north-korea-malicious-npm-packages-socket\/\"> <meta property=\"og:locale\" content=\"en_US\"> <meta property=\"og:type\" content=\"article\"> <meta property=\"og:title\" content=\"Lazarus Group deceives developers with 6 new malicious npm packages\"> <meta property=\"og:description\" content=\"Socket researchers said the malware-ridden packages were collectively downloaded over 330 times. GitHub removed all of the malicious packages Wednesday.\"> <meta property=\"og:url\" content=\"https:\/\/cyberscoop.com\/lazarus-group-north-korea-malicious-npm-packages-socket\/\"> <meta property=\"og:site_name\" content=\"CyberScoop\"> <meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/cyberscoop\/\"> <meta property=\"article:published_time\" content=\"2025-03-12T22:31:17+00:00\"> <meta property=\"article:modified_time\" content=\"2025-03-12T22:31:19+00:00\"> <meta property=\"og:image\" content=\"https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/03\/lazarus-group-deceives-developers-with-6-new-malicious-npm-packages-2.jpg\"> <meta property=\"og:image:width\" content=\"1920\"> <meta property=\"og:image:height\" content=\"1280\"> <meta property=\"og:image:type\" content=\"image\/jpeg\"> <meta name=\"author\" content=\"Matt Kapko\"> <meta name=\"twitter:card\" content=\"summary_large_image\"> <meta name=\"twitter:creator\" content=\"@CyberScoopNews\"> <meta name=\"twitter:site\" content=\"@CyberScoopNews\">  <link rel=\"dns-prefetch\" href=\"\/\/securepubads.g.doubleclick.net\">\n<link rel=\"dns-prefetch\" href=\"\/\/use.typekit.net\">\n<link rel=\"alternate\" type=\"application\/rss+xml\" title=\"CyberScoop \u00bb Feed\" href=\"https:\/\/cyberscoop.com\/feed\/\">\n<link rel=\"alternate\" type=\"application\/rss+xml\" title=\"CyberScoop \u00bb Comments Feed\" href=\"https:\/\/cyberscoop.com\/comments\/feed\/\"> <link rel=\"stylesheet\" id=\"all-css-2\" href=\"https:\/\/cyberscoop.com\/wp-includes\/css\/dist\/block-library\/style.min.css?m=1739294329g\" type=\"text\/css\" media=\"all\"> <link rel=\"stylesheet\" id=\"all-css-6\" href=\"https:\/\/cyberscoop.com\/wp-content\/mu-plugins\/search\/elasticpress\/dist\/css\/related-posts-block-styles.min.css?m=1741103352g\" type=\"text\/css\" media=\"all\"> <link rel=\"stylesheet\" id=\"all-css-8\" href=\"https:\/\/cyberscoop.com\/wp-content\/themes\/scoopnewsgroup\/dist\/css\/frontend.css?m=1740691656g\" type=\"text\/css\" media=\"all\">\n<link rel=\"stylesheet\" id=\"typekit-css\" href=\"https:\/\/use.typekit.net\/itk2qbh.css?ver=a815169637cf454b7376\" media=\"all\"> <link rel=\"https:\/\/api.w.org\/\" href=\"https:\/\/cyberscoop.com\/wp-json\/\"><link rel=\"alternate\" title=\"JSON\" type=\"application\/json\" href=\"https:\/\/cyberscoop.com\/wp-json\/wp\/v2\/posts\/83849\"><link rel=\"EditURI\" type=\"application\/rsd+xml\" title=\"RSD\" href=\"https:\/\/cyberscoop.com\/xmlrpc.php?rsd\">\n<meta name=\"generator\" content=\"WordPress 6.7.2\">\n<link rel=\"shortlink\" href=\"https:\/\/cyberscoop.com\/?p=83849\">\n<link rel=\"alternate\" title=\"oEmbed (JSON)\" type=\"application\/json+oembed\" href=\"https:\/\/cyberscoop.com\/wp-json\/oembed\/1.0\/embed?url=https%3A%2F%2Fcyberscoop.com%2Flazarus-group-north-korea-malicious-npm-packages-socket%2F\">\n<link rel=\"alternate\" title=\"oEmbed (XML)\" type=\"text\/xml+oembed\" href=\"https:\/\/cyberscoop.com\/wp-json\/oembed\/1.0\/embed?url=https%3A%2F%2Fcyberscoop.com%2Flazarus-group-north-korea-malicious-npm-packages-socket%2F&format=xml\">   <link rel=\"icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=32\" sizes=\"32x32\">\n<link rel=\"icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=192\" sizes=\"192x192\">\n<link rel=\"apple-touch-icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=180\">\n<meta name=\"msapplication-TileImage\" content=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=270\"> <\/head><body class=\"post-template-default single single-post postid-83849 single-format-standard\" id=\"readabilityBody\"> <a href=\"https:\/\/cyberscoop.com\/lazarus-group-north-korea-malicious-npm-packages-socket\/#main\" class=\"skip-to-content-link visually-hidden-focusable\">Skip to main content<\/a> <\/p>\n<div class=\"ad ad--top ad--top-desktop\">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p> <main id=\"main\" role=\"main\" tabindex=\"-1\"> <\/p>\n<div class=\"ad ad--top ad--top-mobile\">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<section id=\"stickybar\" class=\"stickybar stickybar--event js-stickybar\">\n<div class=\"stickybar__details\" readability=\"5.12\">\n<div class=\"stickybar__info js-sticky-bar-content\" readability=\"32\">\n<p>Nominations can be submitted for the 2025 CyberScoop 50 awards!<\/p>\n<\/div>\n<p> <a class=\"stickybar__link button button-tertiary\" href=\"https:\/\/cyberscoop.com\/cyberscoop50\/\">Click here!<\/a> <\/div>\n<p> <button class=\"stickybar__close js-stickybar-close\" aria-controls=\"stickybar\"> <svg class=\"icon icon--close\" width=\"21\" height=\"22\" viewBox=\"0 0 21 22\" fill=\"none\"><path d=\"m.822.518-.805.805L9.695 11 .017 20.678l.805.805 9.678-9.678 9.677 9.678.806-.805L11.305 11l9.678-9.677-.806-.805-9.677 9.677L.822.518Z\" fill=\"currentColor\" \/><\/svg> <span class=\"visually-hidden\">Close<\/span> <\/button> <\/section>\n<article class=\"single-article content\">\n<div class=\"single-article__container js-single-article-content\">\n<header class=\"single-article__header \" readability=\"25.870810055866\">\n<div class=\"single-article__header-content\" readability=\"34.510948905109\">\n<p> Socket researchers said the malware-ridden packages were collectively downloaded over 330 times. GitHub removed all of the malicious packages Wednesday. <\/p>\n<p>  <br \/>\n<audio id=\"audio-player\" src=\"https:\/\/wp-tts-cdn.api.scpnewsgrp.com\/cyberscoop\/83849\/english.openai.mp3\"><\/audio> <\/p>\n<div readability=\"11\">\n<div>\n<p>Listen to this article<\/p>\n<p>  <\/p>\n<p>0:00<\/p>\n<\/p><\/div>\n<p>  <\/p>\n<p> <span id=\"tts-tooltip\">Learn more.<\/span> <span> This feature uses an automated voice, which may result in occasional errors in pronunciation, tone, or sentiment. <\/span> <\/p>\n<\/div>\n<p>  <\/div>\n<div class=\"single-article__cover-wrap\">\n<figure class=\"single-article__cover\"> <img data-recalc-dims=\"1\" fetchpriority=\"high\" width=\"640\" height=\"426\" src=\"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2025\/03\/lazarus-group-deceives-developers-with-6-new-malicious-npm-packages.jpg?resize=640%2C426&ssl=1\" class=\"single-article__cover-image wp-post-image\" alt decoding=\"async\" fetchpriority=\"high\" srcset=\"https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/03\/lazarus-group-deceives-developers-with-6-new-malicious-npm-packages-2.jpg 1920w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/03\/lazarus-group-deceives-developers-with-6-new-malicious-npm-packages-2.jpg?resize=300,200 300w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/03\/lazarus-group-deceives-developers-with-6-new-malicious-npm-packages-2.jpg?resize=768,512 768w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/03\/lazarus-group-deceives-developers-with-6-new-malicious-npm-packages-2.jpg?resize=1024,683 1024w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/03\/lazarus-group-deceives-developers-with-6-new-malicious-npm-packages-2.jpg?resize=1536,1024 1536w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/03\/lazarus-group-deceives-developers-with-6-new-malicious-npm-packages-2.jpg?resize=600,400 600w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/03\/lazarus-group-deceives-developers-with-6-new-malicious-npm-packages-2.jpg?resize=252,168 252w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/03\/lazarus-group-deceives-developers-with-6-new-malicious-npm-packages-2.jpg?resize=506,337 506w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/03\/lazarus-group-deceives-developers-with-6-new-malicious-npm-packages-2.jpg?resize=1013,675 1013w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/03\/lazarus-group-deceives-developers-with-6-new-malicious-npm-packages-2.jpg?resize=1265,843 1265w\" sizes=\"(max-width: 1013px) 100vw, 1013px\"><figcaption> In this picture taken near the truce village of Panmunjom inside the demilitarized zone (DMZ) separating the two Koreas, a bird flies near a North Korean flag fluttering in the wind at the propaganda village of Gijungdong in North Korea on October 4, 2022. (Photo by ANTHONY WALLACE\/AFP via Getty Images) <\/figcaption><\/figure>\n<\/p><\/div>\n<\/header>\n<div class=\"single-article__content\">\n<div class=\"single-article__content-inner has-drop-cap\"> <html readability=\"34.757446181068\"><body readability=\"70.84194214876\"><\/p>\n<p>Lazarus Group has burrowed deeper into the npm registry and planted six new malicious packages designed to deceive software developers and disrupt their workflows, researchers at cybersecurity firm Socket said in a Monday <a href=\"https:\/\/socket.dev\/blog\/lazarus-strikes-npm-again-with-a-new-wave-of-malicious-packages\">blog post<\/a>.<\/p>\n<p>The North Korea-linked threat group embedded BeaverTail malware into the npm packages to install backdoors and steal credentials and data in cryptocurrency wallets, according to Socket. The malicious code targets npm, a package manager for the JavaScript programming language, which is maintained by a subsidiary of Microsoft-owned GitHub. <\/p>\n<p>A GitHub spokesperson said all six of the malicious packages were removed Wednesday. <\/p>\n<p>The packages containing BeaverTail malware, aligning with previous Lazarus tactics, include <a href=\"https:\/\/socket.dev\/npm\/package\/is-buffer-validator\">is-buffer-validator<\/a>, <a href=\"https:\/\/socket.dev\/npm\/package\/yoojae-validator\">yoojae-validator<\/a>, <a href=\"https:\/\/socket.dev\/npm\/package\/event-handle-package\">event-handle-package<\/a>, <a href=\"https:\/\/socket.dev\/npm\/package\/array-empty-validator\">array-empty-validator<\/a>, <a href=\"https:\/\/socket.dev\/npm\/package\/react-event-dependency\">react-event-dependency<\/a>, and <a href=\"https:\/\/socket.dev\/npm\/package\/auth-validator\">auth-validator<\/a>, Socket researchers said.<\/p>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p>\u201cThe six new packages \u2014 collectively downloaded over 330 times \u2014 closely mimic the names of widely trusted libraries, employing a well-known typosquatting tactic used by Lazarus-linked threat actors to deceive developers,\u201d Kirill Boychenko, threat intelligence analyst at Socket, said in the blog post.<\/p>\n<p>Lazarus Group also \u201ccreated and maintained GitHub repositories for five of the malicious packages, lending an appearance of open source legitimacy and increasing the likelihood of the harmful code being integrated into developer workflows,\u201d Boychenko added. <\/p>\n<p>The naming scheme applied to the malicious packages suggests Lazarus Group is aware of Socket\u2019s research into its previous malicious npm activities. One package in particular, is-buffer-validator, resembles the <a href=\"https:\/\/socket.dev\/npm\/package\/is-buffer\">is-buffer<\/a> module first authored by Socket CEO Feross Aboukhadijeh in 2015. The legitimate is-buffer package has been downloaded over 134 million times.<\/p>\n<p>The malicious code embedded into the malicious packages mirrors techniques observed in previous campaigns linked to the Lazarus Group, including self-invoking functions, dynamic function constructors and array shifting to obscure the packages\u2019 functionality, according to Socket. <\/p>\n<p>BeaverTail malware allows for multi-stage payload delivery and persistence mechanisms for long-term access. The code collects system environment details, extracts sensitive login files and keychain archives.<\/p>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p>The malware also targets cryptocurrency wallets by extracting id.json from Solana and exodus.wallet from Exodus, which are then uploaded to a hardcoded C2 server, echoing another Lazarus Group tactic involving of harvesting and transmitting stolen data, Socket researchers said.<\/p>\n<p>The notorious collective of malicious hackers, which North Korea assembled as early as 2007, according to the U.S. government, <a href=\"https:\/\/cyberscoop.com\/bybit-lazarus-group-north-korea-ethereum\/\">stole $1.46 billion in Ethereum<\/a> from cryptocurrency exchange ByBit last month. It was the largest known financial theft in history.<\/p>\n<p><\/body> <\/p>\n<footer class=\"single-article__footer\" readability=\"3.6944444444444\">\n<div class=\"author-card\" readability=\"14\">\n<div class=\"author-card__avatar\">\n<figure class=\"author-card__image-wrap\"> <img data-recalc-dims=\"1\" decoding=\"async\" class=\"author-card__image\" src=\"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2025\/03\/lazarus-group-deceives-developers-with-6-new-malicious-npm-packages-1.jpg?w=640&ssl=1\" alt=\"Matt Kapko\"> <\/figure>\n<\/p><\/div>\n<p><h4 class=\"author-card__name\">Written by Matt Kapko<\/h4>\n<p> Matt Kapko is a reporter at CyberScoop. His beat includes cybercrime, ransomware, software defects and vulnerability (mis)management. The lifelong Californian started his journalism career in 2001 with previous stops at Cybersecurity Dive, CIO, SDxCentral and RCR Wireless News. Matt has a degree in journalism and history from Humboldt State University. <\/p>\n<\/p><\/div>\n<div class=\"single-article__tags-container\">\n<h4 class=\"single-article__tags-title\">In This Story<\/h4>\n<\/p><\/div>\n<\/footer>\n<p> <\/html><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"single-article__ads js-single-article-sidebar\">\n<div class=\"ad ad--sidebar js-single-article-sidebar-5 ad--rightrail_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div class=\"ad ad--sidebar js-single-article-sidebar-4 ad--rightrail_2 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div class=\"ad ad--sidebar js-single-article-sidebar-3 ad--rightrail_3 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div><\/div>\n<\/article>\n<div class=\"popular-stories popular-stories--single-post\">\n<div class=\"popular-stories__container\">\n<h2 class=\"popular-stories__title\"> More Scoops <\/h2>\n<p>  <\/div>\n<p>\n<\/div>\n<p> <\/p>\n<section class=\"latest-podcasts\">\n<h2 class=\"latest-podcasts__title\"> Latest Podcasts\t<\/h2>\n<\/section>\n<div class=\"top-categories\">\n<div class=\"top-categories__container\">\n<h3 class=\"top-categories__category-title\">Government<\/h3>\n<\/p><\/div>\n<div class=\"top-categories__container\">\n<h3 class=\"top-categories__category-title\">Technology<\/h3>\n<\/p><\/div>\n<\/p><\/div>\n<p> <\/main> <\/p>\n<div class=\"ad ad--bottom \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div id=\"interstitial\" class=\"welcome__container\"> <button id=\"close-modal-1\" class=\"welcome__clickable_area\"><\/button> <\/p>\n<div class=\"welcome__ad_wrapper\">\n<p> <button id=\"close-modal-3\" class=\"welcome__continue-button\">Continue to CyberScoop<\/button> <\/p>\n<\/p><\/div>\n<\/p><\/div>\n<p>   <\/body> <a href=\"https:\/\/cyberscoop.com\/lazarus-group-north-korea-malicious-npm-packages-socket\/\">Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Lazarus Group deceives developers with 6 new malicious npm packages<\/p>\n","protected":false},"author":11,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[337,282,78,725,1010,168,647,3875,256,3876,3688,288],"tags":[340,286,86,728,242,169,240,3877,262,3878,3690,294],"class_list":["post-7441","post","type-post","status-publish","format-standard","hentry","category-cryptocurrency","category-cybercrime","category-cybersecurity","category-github","category-lazarus-group","category-malware","category-north-korea","category-npm","category-research","category-socket","category-software-security","category-threats","tag-cryptocurrency","tag-cybercrime","tag-cybersecurity","tag-github","tag-lazarus-group","tag-malware","tag-north-korea","tag-npm","tag-research","tag-socket","tag-software-security","tag-threats"],"featured_image_urls":{"full":"","thumbnail":"","medium":"","medium_large":"","large":"","1536x1536":"","2048x2048":"","chromenews-featured":"","chromenews-large":"","chromenews-medium":""},"author_info":{"display_name":"Cyber Scoop","author_link":"https:\/\/ddi.mohflo.net\/index.php\/author\/cyberscoop\/"},"category_info":"<a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/cryptocurrency\/\" rel=\"category tag\">cryptocurrency<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/cybercrime\/\" rel=\"category tag\">cybercrime<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/cybersecurity\/\" rel=\"category tag\">Cybersecurity<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/github\/\" rel=\"category tag\">GitHub<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/lazarus-group\/\" rel=\"category tag\">Lazarus Group<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/malware\/\" rel=\"category tag\">Malware<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/north-korea\/\" rel=\"category tag\">North Korea<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/npm\/\" rel=\"category tag\">npm<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/research\/\" rel=\"category tag\">Research<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/socket\/\" rel=\"category tag\">Socket<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/software-security\/\" rel=\"category tag\">software security<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/threats\/\" rel=\"category tag\">Threats<\/a>","tag_info":"Threats","comment_count":"0","jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/7441","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/users\/11"}],"replies":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/comments?post=7441"}],"version-history":[{"count":0,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/7441\/revisions"}],"wp:attachment":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/media?parent=7441"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/categories?post=7441"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/tags?post=7441"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}

{"id":7441,"date":"2025-03-12T17:31:17","date_gmt":"2025-03-12T22:31:17","guid":{"rendered":"https:\/\/cyberscoop.com\/?p=83849"},"modified":"2025-03-12T17:31:17","modified_gmt":"2025-03-12T22:31:17","slug":"lazarus-group-deceives-developers-with-6-new-malicious-npm-packages","status":"publish","type":"post","link":"https:\/\/ddi.mohflo.net\/index.php\/2025\/03\/12\/lazarus-group-deceives-developers-with-6-new-malicious-npm-packages\/","title":{"rendered":"Lazarus Group deceives developers with 6 new malicious npm packages"},"content":{"rendered":"