Bybit hackers’ new trick – attacking crypto from the inside

The same North Korean hackers behind the Bybit breach have found a new way to attack the crypto world – not by targeting exchanges directly, but by infecting the very tools developers use to build crypto apps.

According to Socket, which uncovered the attack, the Lazarus Group has secretly planted malicious software inside npm, a widely used software registry. More than 330 developers have unknowingly downloaded the infected code, potentially exposing crypto wallets, logins, and sensitive data.

Security experts warn that these hidden malware strains do more than just steal passwords. They can extract crypto wallet credentials, hijack browser sessions, and even install backdoors – granting Lazarus remote access to entire systems without the victim realizing it.

This isn’t a random attack. Lazarus is one of the most notorious crypto hacking groups in history, responsible for some of the biggest thefts ever, including the $611 million Poly Network hack in 2021 and the $625 million Ronin Network breach in 2022. And they aren’t slowing down. In Q3 2023 alone, they stole 30% of all crypto lost to hacks, totaling $208.5 million.

Now, they’re evolving. Instead of just hitting crypto exchanges, bridges, and DeFi platforms, they’re corrupting the very tools developers rely on – turning trusted software into a Trojan horse for crypto theft.

The malicious packages

Researchers found six npm packages spreading malware. Here’s what they did:

• Yoojae-validator – A silent thief that digs through infected systems, pulling out stored passwords and private data.
• Array-empty-validator – Scans browsers and devices for login details, swiping anything linked to crypto wallets or exchanges.
• Is-buffer-validator – A convincing imposter, disguised as a common tool while secretly funneling passwords to hackers.
• Event-handle-package – The ultimate Trojan horse – once installed, it opens a hidden backdoor, giving Lazarus remote control of the system.
• Auth-validator – A fake security tool that does the opposite of protecting – stealing login details instead.
• React-event dependency – Injects malware into development environments, spreading infections like wildfire.

These packages have already been downloaded more than 330 times, proving that even trusted coding tools can become attack vectors for crypto theft.

🚨 The Socket Research Team has uncovered 6 new malicious npm packages linked to North Korea’s #Lazarus Group. These packages steal credentials, extract crypto data, and deploy backdoors.

Read the full report: https://t.co/31DoxByifl #NodeJS #cybersecurity #malware

— Socket (@SocketSecurity) March 11, 2025

How do these packages trick developers?

These malicious packages rely on typosquatting, where hackers create fake versions of legitimate software with nearly identical names. Developers unknowingly install them, allowing malware to infiltrate their systems.

Once installed, they deliver InvisibleFerret and BeaverTail, two stealthy malware strains. InvisibleFerret was previously used in fake job scams to spread malware, while BeaverTail silently extracts sensitive data.

To seem trustworthy, the hackers even created GitHub repositories for five of the six packages, making them appear legitimate and increasing downloads.

The threat remains active, as these packages are still available on GitHub and npm – meaning developers must scrutinize open-source code more carefully than ever.

Lazarus Group’s evolving tactics

Security researchers say the attack closely resembles Lazarus Group’s past operations. While Lazarus is best known for hacking crypto exchanges, bridges, and wallets, this attack targets developers directly, raising concerns about how malware could spread through legitimate projects.

By compromising widely used developer tools, Lazarus has introduced a supply chain threat—where even trusted crypto apps could unknowingly distribute malicious code. This means users don’t need to fall for phishing scams or shady downloads to be at risk—they could be exposed through software they already trust.

Socket notes that while absolute attribution is difficult, the tactics and techniques used in this npm attack align with Lazarus’s known operations, as previously documented by Unit 42, eSentire, DataDog, and Phylum.

As North Korean hackers refine their approach, crypto developers and users must scrutinize open-source software more carefully than ever to avoid falling victim.