The Lazarus Group from North Korea is targeting software developers in order to compromise Solana and Exodus wallets.

The Lazarus Group has shifted its focus towards users of Solana and the Exodus wallet. This hacking collective, linked to the North Korean government, has previously been implicated in the Bybit hack and other significant cryptocurrency thefts, and they are making headlines once again. Recent research by Socket revealed that the Lazarus Group has placed six harmful packages in npm, specifically aiming at software developers and cryptocurrency enthusiasts. As stated in the Socket Research report, the six harmful packages associated with Lazarus were downloaded more than 173 times in total. These packages were created to capture login information, install backdoors, and retrieve sensitive data from Solana-related cryptocurrency wallets or Exodus. The investigation highlighted that the methods and strategies used in this npm attack bear a strong resemblance to the established tactics of Lazarus. The recent cyberattack involves malware that focuses on browser profiles, probing files from Chrome, Brave, Firefox, and accessing keychain data on macOS. The six malicious packages identified are: is-buffer-validator, yoojae-validator, event-handle-package, array-empty-validator, react-event-dependency, and auth-validator. The researchers asserted that Lazarus employed typosquatting to deceive developers into installing software with misspelled names. An example of this is the package “is-buffer-validator,” which is very similar to the well-known “is-buffer” module created by Feross Aboukhadijeh, the CEO of Socket. The authentic is-buffer package boasts 33 million downloads per week and more than 134 million downloads overall, illustrating its extensive use. Moreover, Lazarus has previously breached networks utilizing supply chain attacks through platforms such as GitHub, PyPI, and npm. This has played a role in significant security breaches, such as the $1.4 billion theft from the Bybit exchange.