Why trust Greenbot
North Korean hackers have released six fake software packages to steal cryptocurrency from developers. The Lazarus Group created these malicious npm packages, which were downloaded more than 330 times.
Their main targets were Solana and Exodus wallet files, which contain sensitive crypto information.
Socket.Dev researchers discovered the attack on March 11, 2025. The hackers used typosquatting—creating packages with names that look like legitimate libraries—to trick developers.
“Malicious npm packages are a particularly effective attack vector because developers often trust open-source repositories without thorough scrutiny,” explained Ensar Seker, CSO at SOCRadar.
The malware hunts for specific wallet files on infected computers. It looks for Solana’s id.json and Exodus wallet files that could give attackers access to crypto funds. The software also steals login information from popular browsers like Chrome, Brave, and Firefox.
All stolen data gets sent to a command server controlled by the hackers. The software also installs a backdoor called InvisibleFerret, giving the attackers ongoing access to infected systems even after removing the initial vector.
The six fake packages identified were: is-buffer-validator, yoojae-validator, event-handle-package, array-empty-validator, react-event-dependency, and auth-validator. To seem more legitimate, the Lazarus Group created fake GitHub pages for most of these packages.
Kirill Boychenko from Socket Security explained that while it’s hard to prove exactly who’s behind the attack, “the tactics, techniques, and procedures observed in this npm attack closely align with Lazarus’s known operations.”
This campaign mirrors the sophisticated methods used in February’s Bybit exchange hack. The hack, which resulted in $1.46 billion in stolen cryptocurrency, is the largest crypto heist in history. The FBI confirmed Lazarus was responsible for that attack.
Security experts believe North Korea uses stolen crypto funds to pay for its military and nuclear programs. The country has increasingly targeted cryptocurrency organizations in recent years. Their tactics shifted from directly attacking exchanges to more subtle supply chain attacks that target developers.
To stay safe, organizations should use automated tools to check dependencies and review code. Security teams recommend blocking connections to known hacker servers and educating developers about the dangers of typosquatting.
The packages remain active on the npm registry. Socket’s security team has requested their removal and reported the associated GitHub repositories and user accounts, but the threat remains active at the time of publishing. Developers are urged to carefully check package sources before downloading anything.
