Lazarus Group Hid Backdoor in Fake npm Packages in Latest Attack

North Korean state-backed Lazarus Group has injected malicious code into npm through six fake packages downloaded approximately 330 times. Socket Research Team identified these typosquatting packages that mimic legitimate ones like “is-buffer-validator.” The malware steals system information, extracts browser credentials, targets cryptocurrency wallets (particularly Solana and Exodus), and installs the InvisibleFerret backdoor. This attack supports North Korea’s financial theft objectives. GitHub has removed the malicious packages, but organizations should verify package sources, use security tools, implement multi-layered protection, automate dependency auditing, monitor for unexpected updates, and educate developers about typosquatting risks.