The hackers successfully compromised six popular npm packages, injecting malicious code designed to harvest login credentials from thousands of developers and organizations worldwide. A sophisticated supply chain attack orchestrated by the notorious Lazarus Group, a threat actor widely believed to be linked to North Korea has been uncovered recently by cybersecurity researchers. The Lazarus Group continues to demonstrate its evolution from basic disruptive cyberattacks to sophisticated supply chain compromises targeting developer infrastructure, signaling a concerning trend in nation-state hacking operations. Security researchers recommend implementing strict package management policies, including version pinning and the use of integrity verification tools such as npm audit and dependency scanning solutions. Cyber Security News is a Dedicated News Platform For Cyber News, Cyber Attack News, Hacking News & Vulnerability Analysis. The attack, discovered last week, represents one of the most significant software supply chain compromises of the year, potentially affecting millions of downstream applications and websites that incorporated the tainted dependencies. The Node Package Manager (npm) registry, which serves as the backbone for JavaScript development, has increasingly become a target for sophisticated threat actors seeking to maximize impact through minimum effort. The attackers gained access to the npm accounts of legitimate package maintainers through sophisticated phishing attacks that bypassed multi-factor authentication protocols. The Lazarus operatives employed a particularly cunning approach by making only minimal changes to the legitimate code, making detection challenging even for security-conscious developers. The npm security team has removed the compromised versions and is working with affected package maintainers to secure their accounts. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news. Security firm Mandiant identified the campaign after detecting suspicious network traffic originating from development environments at several financial institutions during routine security monitoring. The malicious code was designed to activate only in production environments, remaining dormant during testing phases to avoid detection. FortiGuard Labs has recently uncovered more than 5,000 malicious software packages designed to compromise Windows systems. By poisoning widely-used packages, attackers can effectively compromise countless organizations that incorporate these dependencies into their software. The malicious code was inserted primarily in post-installation scripts that execute automatically when packages are installed. Organizations using any of the six identified packages are urged to immediately update to patched versions and rotate all potentially exposed credentials. Tushar is a Cyber security content editor with a passion for creating captivating and informative content. When triggered, the code would extract credentials from environment variables, browser storage, and credential managers. Malicious code inserted into the auth-manager-js package. Browser storage interception code from the react-state-manager package.
This Cyber News was published on cybersecuritynews.com. Publication date: Tue, 11 Mar 2025 12:45:07 +0000