- Security researchers discovered malicious code in NPM packages and GitHub commits
- The code was linked to a Lazarus-operated account
- More than 200 victims were confirmed so far
Lazarus Group, an infamous North Korean state-sponsored threat actor, is running a campaign targeting software and Web3 developers with “undetectable” malware.
Cybersecurity researchers at STRIKE from SecurityScorecard said they observed malware being embedded into GitHub repositories and NPM packages, where unsuspecting developers pick them up and integrate into their own projects.
The researchers said they saw the SuccessFriend GitHub profile, known to be linked to Lazarus, injecting JavaScript implants into GitHub repositories, where they blend in with legitimate code. To make matters worse, the profile has also committed benign code, to better hide its malicious intent.
Funding the state
The malware is being distributed inside NPM packages, STRIKE says, which are “widely used” by cryptocurrency developers and Web3 projects.
The researchers dubbed the campaign Marstech Mayhem, since the malware being deployed is named Marstech1. Once deployed on the victim endpoint, it scans systems for MetaMask, Exodus, and Atomic wallets, modifying browser configuration files to inject stealthy payloads that can intercept transactions.
With that in mind, it’s safe to say that Lazarus is still tasked with stealing cryptocurrency for the North Korean government. Earlier reports were saying that the government was using the stolen crypto to fund its state apparatus, as well as its nuclear weapons program.
So far, STRIKE managed to confirm at least 233 victims across the US, Europe, and Asia.
SecurityScorecard’s SVP of Threat Research & Intelligence, Ryan Sherstobitoff said that the Marstech1 implant comes with “layered obfuscation techniques,” from control flow flattening and dynamic variable renaming in JavaScript, to multi-stage XOR decryption in Python.
He urged organizations and developers to adopt proactive security measures, continuously monitor their supply chain activities, and integrate advanced threat intelligence solutions to mitigate the risk of sophisticated attackers such as Lazarus.
Leave a comment