Lazarus Expands Malicious npm Campaign: 11 New Packages Add Malware Loaders and Bitbucket Payloads

April 8, 2025, 11:55 a.m.

Description

North Korean threat actors have expanded their presence in the npm ecosystem, publishing additional malicious packages that deliver the BeaverTail malware and introduce new remote access trojan loader functionality. The campaign, known as Contagious Interview, aims to compromise developer systems, steal sensitive data, and maintain access to compromised environments. The actors have created new npm accounts and deployed malicious code across npm, GitHub, and Bitbucket. The expanded campaign includes 11 new packages with over 5,600 downloads, using hexadecimal string encoding to evade detection. The malware targets browser data, macOS keychain, and cryptocurrency wallets. The threat actors are diversifying their tactics, using multiple malware variants and obfuscation techniques to ensure resilience and evade detection.

External References

https://socket.dev/blog/lazarus-expands-malicious-npm-campaign-11-new-packages-add-malware-loaders-and-bitbucket
https://otx.alienvault.com/pulse/67f4fb27428373d4ee443799
Tags
north korea
cryptocurrency
beavertail
invisibleferret
2025-04-08

Date

  • Created: April 8, 2025, 10:32 a.m.
  • Published: April 8, 2025, 10:32 a.m.
  • Modified: April 8, 2025, 11:55 a.m.

Indicators

  • 45.61.151.71
  • 144.172.87.27
  • 185.153.182.241
  • https://mocki.io/v1/32f16c80-602a-4c80-80af-32a9b8220a6b
  • http://mocki.io/v1/32f16c80-602a-4c80-80af-32a9b8220a6b
  • http://m21gk.wiremockapi.cloud/g/api/880
Download all indicators here!

Attack Patterns

  • BeaverTail
  • InvisibleFerret
  • Lazarus Group

Additional Informations

  • Technology