The North Korean state-sponsored hacking group Lazarus has been implicated in a sophisticated supply chain attack targeting developers through malicious Node Package Manager (NPM) packages.

Security researchers have identified the package, postcss-optimizer, as a key vector for delivering malware to unsuspecting victims.

The malicious package, postcss-optimizer, masquerades as a legitimate library, mimicking the widely used postcss library, which has over 16 billion downloads.

Once installed, it deploys the BeaverTail malware—a dual-purpose tool acting as both an infostealer and a loader.

Socket researchers noted that the malware collects sensitive data such as credentials, browser cookies, and cryptocurrency wallet keys while also executing additional payloads, including the InvisibleFerret backdoor.

The attack exploits cross-platform compatibility, targeting Windows, macOS, and Linux systems.

It achieves persistence through registry modifications on Windows and shell scripts on Unix-based systems. The malware communicates with command-and-control (C2) servers to exfiltrate data and fetch further malicious components.

TTPs

1. Obfuscation Techniques: The malicious code uses advanced obfuscation methods such as variable renaming, string encoding, and control flow flattening to evade detection.
2. System Reconnaissance: The malware collects system details like hostname, operating system type, and user directories using Node.js APIs.
3. Data Exfiltration: Sensitive files such as browser-stored credentials and cryptocurrency wallet keys are transmitted to a hardcoded C2 server via HTTP POST requests.
4. Payload Delivery: The malware fetches additional payloads from a remote server using cURL commands or Node.js HTTP requests.

This attack is part of Lazarus’s ongoing strategy to infiltrate high-value targets in the technology and cryptocurrency sectors.

Known for leveraging fake job interviews and coding challenges, the group uses social engineering to lure developers into downloading compromised packages.

Previous campaigns include Operation Phantom Circuit and Contagious Interview, which similarly exploited open-source ecosystems like NPM and PyPI.

To defend against such threats, organizations should conduct regular audits of third-party dependencies and use automated tools like Socket’s GitHub app to flag suspicious packages during development.

Verifying the integrity of software libraries with cryptographic checksums ensures authenticity, while educating developers about supply chain risks and social engineering tactics further strengthens security.

IOCs:-

• Malicious Package: postcss-optimizer
• C2 Infrastructure: 91.92.120[.]132
• NPM Alias: yolorabbit

Collect Threat Intelligence with TI Lookup to Improve Your Company’s Security - Get 50 Free Request