Lazarus group used 6 npm packages to steal developer logins

A North Korean-linked group, *Lazarus*, has compromised six popular *npm* packages in a sophisticated supply chain attack. The hackers injected malicious code and stole the credentials of thousands of developers and organizations around the world.

The Lazarus group used 6 npm packages to steal developer logins

One of the largest attacks on the *npm* registry, a critical infrastructure for developing JavaScript applications, has been detected. The group of hackers gained access to the official developer accounts through phishing attacks and even bypassed two-factor authentication.

The hackers made minimal changes to the code of six popular libraries:

– react-native-utils

– api-data-connector

– auth-manager-js

– node-service-config

– aws-lambda-handler

– react-state-manager

These packages are downloaded over 25 million times a week, significantly increasing the scale of the breach. The malicious code was only activated in a production environment, making it difficult to detect during testing. It extracted logins, API keys, and passwords from local storage and sent them to the fake domains *analytics-collection.org* and *metrics-telemetry.net*. The hackers sent the stolen data in the form of a fake analytics tracker.

The *npm* security team is advised to immediately remove the malicious version of the package, and companies are advised to update dependencies, change passwords that may have been compromised, and increase the verification of external libraries.

This incident highlights the growing threat of attacks on the development ecosystem. *npm* users should implement strict dependency management policies: use *version pinning*, verify library integrity, and regularly perform *npm audits*. Otherwise, attacks on supply chains can lead to large-scale data leaks and compromise of critical systems.