North Korea’s Lazarus Group has launched yet another sophisticated supply chain attack, this time leveraging the npm ecosystem to infiltrate developers environments and steal cryptocurrency-related data.
Security researchers at Socket.Dev uncovered six new malicious packages with each designed to deploy the BeaverTail malware while establishing a persistent backdoor, InvisibleFerret. These tactics resemble previous Lazarus-linked cyber operations.
With over 330 downloads, these malicious packages closely mimic trusted libraries, employing typosquatting to deceive developers into integrating them into projects.
Source: XLazarus’ New Tactics: How Crypto Developers Are Being Targeted
Lazarus has long employed supply chain attacks, but its latest focus on crypto-specific infrastructure marks a significant escalation.
The malicious packages are engineered to steal sensitive data, including credentials, system information, and, most critically, cryptocurrency wallet files.
The malware specifically scans for id.json, the key storage file for Solana wallets, which allows Lazarus to gain direct access to funds.
It also retrieves the exodus.wallet, a critical file used in the Exodus crypto wallet, enabling unauthorized transactions and fund extraction.
In addition, the malware searches through Chrome, Brave, and Firefox profiles, extracting login credentials and session data that could facilitate further exploits.
Using multi-stage payload deployment, Lazarus ensures prolonged access to compromised systems.
The malware is designed to download additional payloads, including the InvisibleFerret backdoor, securing deeper infiltration into developer environments.
The ability to hijack npm packages and spread malware through open-source channels amplifies the supply chain attack vector, making it significantly more dangerous for blockchain projects relying on npm libraries.
Source: Socket.devSophisticated Execution: How the Attack Works
Lazarus’ latest campaign showcases an advanced understanding of open-source ecosystems and modern software development workflows.
The group’s strategy relies on several deceptive tactics. Lazarus tricks developers into unknowingly integrating these infected files into their projects by creating malicious npm packages with names resembling popular dependencies.
Fake GitHub repositories further add credibility, making the packages appear legitimate.
To conceal the malware’s true intent, Lazarus employs various obfuscation techniques.
The malicious code closely resembles previously documented Lazarus operations, reiterating its attribution to the APT group.
Once inside a system, the malware scans local directories for crypto wallet files and sensitive credentials, specifically targeting Solana and Exodus wallet storage files.
The stolen data is then exfiltrated to a Lazarus-controlled server, allowing attackers to access victims’ funds directly.
To maintain persistence, the script downloads and deploys InvisibleFerret, a backdoor designed to control infected systems for a long time.
Multi-stage malware deployment ensures that Lazarus retains access to compromised environments even if initial infection vectors are detected and removed.
Increasingly Sophisticated Threats Against the Crypto Sector
Lazarus’ latest attack aligns with a growing trend of sophisticated cyber threats targeting the crypto industry.
The group’s previous campaigns have included major exchange breaches, laundering stolen funds via DeFi protocols, and now, infiltrating developer environments.
A February 2025 report highlighted how crypto-focused attacks have surged. The report shows a staggering 20x increase in crypto losses in February 2025, particularly within centralized finance (CeFi). Bybit alone lost $1.46 billion to Lazarus, the largest hack in crypto history.
While DeFi continues to suffer a high volume of attacks, the overwhelming concentration of financial losses in CeFi has raised questions about whether centralized exchanges invest enough in preventative cybersecurity measures.
Moreover, the persistent targeting of BNB Chain and Ethereum, accounting for nearly 73% of total losses, adds to these doubts and calls for better security.
For now, it is clear APT groups like Lazarus are refining their attack methodologies, shifting from direct exchange breaches to more insidious supply chain compromises.
Developers are advised to stay vigilant. They remain prime targets because they hold the keys to critical blockchain infrastructure, making them an attractive entry point for cybercriminals.
The post Lazarus Targets Solana and Exodus Wallets, Infecting Hundreds of Software Developers appeared first on Cryptonews.
