North Korean Hacker group Lazarus launched attacks through malicious npm packages to steal encryptionWallet and browser data

Socket research team found that North Korean Hacker group Lazarus associated with six malicious npm packages, attempting to deploy backdoors to steal user credentials and encryptionWallet data, especially targeting Solana and Exodus Wallet. The attack targets include Google Chrome, Brave, Firefox browser files, and macOS Keychain data, primarily affecting developers who unknowingly install these packages. The six malicious packages are is-buffer-validator, yoojae-validator, event-handle-package, array-empty-validator, react-event-dependency, and auth-validator. Attackers use domain name squatting and spelling errors to deceive developers into installing them, with five packages also disguised as GitHub Open Source projects to increase infection risks. Currently, these malicious packages have been downloaded over 330 times. (Decrypt)