North Korea’s Lazarus Group has ramped up its Contagious Interview campaign by using new npm packages with hex-encoded strings to evade detection. These packages deliver BeaverTail infostealers and RAT loaders, aiming to steal credentials, financial info, and crypto wallets. SecurityScorecard found 11 such packages with 5,600+ downloads tied to Lazarus tactics.
Lazarus Group Expands Malware Campaign Across Repositories
North Korean hackers linked to the Lazarus Group are spreading malicious npm packages using fake developer accounts like taras_lakhai, mvitalii, and wishorn. These packages, such as twitterapis and dev-debugger-vite, pretend to be tools for APIs or debugging but secretly connect to hacker-controlled servers (e.g., 45.61.151[.]71:1224).
They also uploaded harmful code to Bitbucket projects like icloud-cod and events-utils, pretending to be legitimate tools. Some even referenced fake job offers, a known Lazarus tactic called the “Contagious Interview” campaign.
To avoid detection, the hackers used hexadecimal string decoding to hide key parts of the code, like this example from the cln-logger package:
javascript function g(h) { return h.replace(/../g, match => String.fromCharCode(parseInt(match, 16))); }
This activity shows how Lazarus continues to target developers by hiding malware in open-source tools.
The hex decoding function turns encoded text like 72657175697265 into require, allowing the malware to load hidden modules.
URLs such as mocki[.]io/... were also hidden in hex to avoid detection. Variants like node-clog and snore-log used rotating domains (e.g., m21gk[.]wiremockapi[.]cloud) to keep delivering payloads even if some links are blocked.
Payloads Targeting Cryptocurrency and Credentials
The malware targets Solana wallet IDs (id.json) and steals credentials from browsers like Brave, Chrome, and Opera. BeaverTail exfiltrates data through HTTP POST requests to Lazarus-controlled servers, while InvisibleFerret provides backdoor access for persistence.
On macOS, keychain theft extends the attack to multiple platforms.
Indicators of Compromise (IOCs)
- Malicious Packages:
- empty-array-validator (129 downloads)
- twitterapis (102 downloads)
- dev-debugger-vite (1,606 downloads)
- snore-log (1,904 downloads)
- core-pino (483 downloads)
- Threat Actor Accounts:
- npm aliases: taras_lakhai (kevintracy516@gmail[.]com), mvitalii (mvitalii206@gmail[.]com)
- GitHub repository: lukobogdan47/empty-array-validator
- C2 Infrastructure:
- 144.172.87[.]27:1224
- 45.61.151[.]71:1224
- ip-check-api[.]vercel[.]app/api/ipcheck/703
MITRE Techniques:
- T1195.002 (Supply Chain Compromise)
- T1027.013 (Hex Encoding)
- T1555.003 (Browser Credential Theft)
Recommendations
- Use dependency auditing tools like Socket to detect suspicious package behaviors during installation.
- Block traffic to known Lazarus endpoints and restrict unverified third-party modules.
- Scrutinize repositories linked to npm packages, especially those with minimal maintenance or sudden updates.
Follow Us on: Twitter, Instagram, Facebook to get the latest security news!
Leave A Comment