CyberSecurityBoard
Sponsor Register Login

Lazarus Adds New Malicious npm Packages with Hexadecimal Encoding

These packages, part of the broader Contagious Interview operation, are designed to evade automated detection systems and manual code audits, marking a significant evolution in the group’s approach to cyber espionage and financial theft. The Lazarus Group, a notorious North Korean state-sponsored hacking collective, has escalated its cyber warfare tactics by introducing new malicious npm packages with advanced obfuscation techniques. These packages share not only common C2 endpoints but also exhibit structural similarities with previously attributed Lazarus operations, including the use of BeaverTail, an infostealer targeting browser data, macOS keychain, and cryptocurrency wallets. The packages employ hexadecimal string encoding to hide critical strings such as function names, URLs, and command and control (C2) server addresses, making them less detectable during static analysis. The latest campaign has seen the Lazarus Group expand its presence in the npm ecosystem, publishing packages under new aliases like taras_lakhai, mvitalii, wishorn, and crouch626. As these cyber threats evolve, so must the defensive strategies of those in the software development community, ensuring that security is not just an afterthought but a fundamental aspect of the development process. Similarly, the wishorn account uses an obfuscated C2 IP address within its packages, linking it directly to known Lazarus infrastructure. In a strategic move to legitimize their operations, the Lazarus Group has shifted from GitHub to Bitbucket for hosting their malicious code. Cyber Security News is a Dedicated News Platform For Cyber News, Cyber Attack News, Hacking News & Vulnerability Analysis. For instance, the package cln-logger uses this technique to decode strings like “require,” “axios,” and “get,” which are essential for fetching and executing code from C2 servers. This includes implementing automated dependency audits, contextual scanning of third-party packages, and monitoring for unusual dependency changes. The obfuscation strategy involves encoding strings in hexadecimal format, which are then decoded at runtime using JavaScript’s String.fromCharCode function reads the Socket report.

This Cyber News was published on cybersecuritynews.com. Publication date: Mon, 07 Apr 2025 11:30:10 +0000


Cyber News related to Lazarus Adds New Malicious npm Packages with Hexadecimal Encoding

Lazarus Adds New Malicious npm Packages with Hexadecimal Encoding - These packages, part of the broader Contagious Interview operation, are designed to evade automated detection systems and manual code audits, marking a significant evolution in the group’s approach to cyber espionage and financial theft. The ...
7 months ago Cybersecuritynews.com Lazarus Group
'everything' blocks devs from removing their own npm packages - Since these 3,000+ packages manage to include every single npm package on the npmjs.com registry as their dependency, npm package authors who have ever published to the npm registry would now be unable to remove their packages at will, because of ...
1 year ago Bleepingcomputer.com
CISA adds Check Point Quantum Security Gateways and Linux Kernel flaws to its Known Exploited Vulnerabilities catalog - CISA adds Apache Flink flaw to its Known Exploited Vulnerabilities catalog. CISA adds D-Link DIR router flaws to its Known Exploited Vulnerabilities catalog. CISA adds Google Chrome zero-days to its Known Exploited Vulnerabilities catalog. CISA adds ...
1 year ago Securityaffairs.com
Lazarus Hackers Weaponized 6 npm Packages To Steal Logins - The hackers successfully compromised six popular npm packages, injecting malicious code designed to harvest login credentials from thousands of developers and organizations worldwide. A sophisticated supply chain attack orchestrated by the notorious ...
8 months ago Cybersecuritynews.com Lazarus Group
Malicious PyPI packages targeting highly specific MacOS machines - As part of our software package supply chain security efforts, we continuously scan for malware in newly released PyPI and NPM packages. In this post, we describe a particularly interesting cluster of malicious packages that we've identified. In late ...
1 year ago Securitylabs.datadoghq.com
Feds Seize 'Sinbad' Crypto Mixer Used by North Korea's Lazarus - In its continued efforts to crack down on North Korea's most formidable state-sponsored threat group, the US government has seized a virtual currency mixer that has been serving as the principal way the group launders money stolen from its ...
1 year ago Darkreading.com Lazarus Group
Lazarus hackers drop new RAT malware using 2-year-old Log4j bug - The new malware are two remote access trojans named NineRAT and DLRAT and a malware downloader named BottomLoader. The D programming language is rarely seen in cybercrime operations, so Lazarus probably chose it for new malware development to evade ...
1 year ago Bleepingcomputer.com
npm 'accidentally' removes Stylus package, breaks builds and pipelines - Panya (the former maintainer of Stylus) used their own account to release a package containing malicious code (for security research purposes? I am unsure), but did not release a new version of Stylus containing malicious code. BleepingComputer ...
3 months ago Bleepingcomputer.com
5000+ Malicious Packages Found In The Wild To Compromise Windows Systems - These packages, detected from November 2024 onward, employ sophisticated techniques to evade traditional security measures while executing harmful actions that can lead to data theft, unauthorized access, and complete system compromise. Similarly, ...
8 months ago Cybersecuritynews.com
North Korean hackers exploit critical TeamCity flaw to breach networks - Microsoft says that the North Korean Lazarus and Andariel hacking groups are exploiting the CVE-2023-42793 flaw in TeamCity servers to deploy backdoor malware, likely to conduct software supply chain attacks. In September, TeamCity fixed a critical ...
1 year ago Bleepingcomputer.com CVE-2023-42793 Andariel
Malicious NPM packages fetch info-stealer for Windows, Linux, macOS - A recent cybersecurity investigation has uncovered malicious NPM packages that distribute an info-stealer malware targeting Windows, Linux, and macOS platforms. These packages, hosted on the popular Node Package Manager (NPM) repository, have been ...
2 weeks ago Bleepingcomputer.com
3 PYPI Packages Caught Spreading Malware - Recent reports have highlighted the malicious spreading of malware via 3 specific Python Package Index (PyPI) packages. These 3 packages were identified and reported by Sonatype, a software supply chain security firm. ...
2 years ago Securityaffairs.com
Malicious NPM Packages Targeting PayPal Users to Steal Sensitive Data - FortiGuard Labs, Fortinet’s AI-driven threat intelligence arm, has uncovered a series of malicious NPM packages designed to steal sensitive information from developers and target PayPal users. Detected between March 5 and March 14, 2025, these ...
7 months ago Cybersecuritynews.com
North Korean Lazarus hackers infect hundreds via npm packages - The packages contain malicious code designed to steal sensitive information, such as cryptocurrency wallets and browser data that contains stored passwords, cookies, and browsing history. The packages, which have been downloaded 330 times, are ...
8 months ago Bleepingcomputer.com
Lazarus Group is No Longer Consider a Single APT Group, But Collection of Many Sub Groups - The cybersecurity landscape is witnessing a growing complexity in the attribution of Advanced Persistent Threat (APT) actors, particularly the North Korean-linked Lazarus group. For instance, Bureau325 and APT43 have been identified as entities that ...
7 months ago Cybersecuritynews.com Kimsuky Lazarus Group
North Korean hackers target open-source repositories in new espionage campaign | The Record from Recorded Future News - North Korean state-backed hackers have planted malicious code in open-source software repositories as part of an ongoing campaign that has already put tens of thousands of developers at risk of surveillance and data theft, according to new research. ...
3 months ago Therecord.media
Malicious NPM, PyPI Packages Stealing User Information - Check Point and Phylum are warning of recently identified NPM and PyPI packages designed to steal user information and download additional payloads. Taking advantage of the broad use of open source code in application development, malicious actors ...
2 years ago Securityweek.com
PhantomRaven Attack Involves 126 Malicious NPM Packages - The PhantomRaven cyberattack has been uncovered involving a staggering 126 malicious NPM packages, posing a significant threat to the software development community. These packages were designed to infiltrate systems by exploiting the widely used ...
2 weeks ago Cybersecuritynews.com PhantomRaven
Malicious npm and PyPI Pose as Developer Tools to Steal Login Credentials - The researchers noted that the packages employ various exfiltration methods to transmit stolen credentials to threat actors, with react-native-scrollpageviewtest using Google Analytics as its exfiltration channel, while the PyPI packages leverage ...
6 months ago Cybersecuritynews.com
New NPM Attack Infecting Local Packages With Cleverly Hidden Malicious Payload - These packages act as downloaders, injecting malicious code into locally installed versions of the legitimate ethers package, ultimately creating a reverse shell on the victim’s machine. The threat actor may have been attempting to ...
7 months ago Cybersecuritynews.com
Hackers breach Toptal GitHub account, publish malicious npm packages - In the days that followed, the attackers modified the source code of Picasso on GitHub to include malware and published 10 malicious packages on NPM as Toptal, making them appear as legitimate updates. According to code security ...
3 months ago Bleepingcomputer.com
ClickFake Interview - Lazarus Hackers Exploit Windows & macOS Users Fake Job Campaign - The ClickFake Interview campaign builds upon the tactics of Contagious Interview, which targeted software developers via fake job interviews conducted on platforms like LinkedIn or X (formerly Twitter). The Lazarus Group, a North Korean ...
7 months ago Cybersecuritynews.com Lazarus Group
Three New Malicious PyPI Packages Deploy CoinMiner on Linux Devices - Affected platforms: LinuxAffected parties: Linux users that have these malicious packages installedImpact: Latency in device performanceSeverity level: High. On December 5th, 2023, FortiGuard's AI-driven OSS malware detection system identified three ...
1 year ago Feeds.fortinet.com
Malicious npm Packages Attacking Linux Developers to Install SSH Backdoors - Discovered in early 2025, several malicious npm packages have been masquerading as legitimate Telegram bot libraries to deliver SSH backdoors and exfiltrate sensitive data from unsuspecting developers. The malicious variants—node-telegram-utils, ...
6 months ago Cybersecuritynews.com
New npm attack poisons local packages with backdoors - Two malicious packages were discovered on npm (Node package manager) that covertly patch legitimate, locally installed packages to inject a persistent reverse shell backdoor. In general, when downloading packages from package indexes like PyPI and ...
7 months ago Bleepingcomputer.com

Latest Cyber News


Cyber Trends (last 7 days)


Trending Cyber News (last 7 days)