North Korea targets crypto developers via NPM supply chain attack

North Korea has changed tack: its latest campaign targets the NPM registry and owners of Exodus and Atomic cryptocurrency wallets.

Carrying out a financially motivated string of attacks isn't the news here – North Korea's primary objective has long been to siphon money from enemy economies. The fresh finding is a JavaScript implant that hides itself in GitHub repositories and node package manager (NPM) packages typically used by crypto devs.

According to SecurityScorecard's research, 233 individual victims have been confirmed thus far after installing the new Marstech1 implant, many features of which demonstrate North Korea's evolving tradecraft. Asked for more details about the victims, the vendor said it had none.

Given Web3 developers' reliance on NPM and Marstech1's ability to evade detection using static and dynamic analyses, SecurityScorecard said the campaign presented a real danger to cryptocurrency developers.

A supply chain risk exists since the compromised software packages could be downloaded and unwittingly introduced into applications, potentially compromising many more users.

Marstech1 uses command and control (C2) infrastructure that communicates over port 3000 rather than 1224 or 1245, and lacks features of previous Lazarus campaigns such as the React web panel as seen in the recent Phantom Circuit attack. Lazarus is a cybercrime group allegedly run by the North Korean government.

Marstech1's capabilities primarily involve targeting cryptocurrency wallets across Windows, macOS, and Linux, scanning compromised systems for wallets of interest, reading their contents, and extracting metadata.

The implant also implements multiple layers of obfuscation techniques, which had not been seen from Lazarus before, that the researchers said allowed it to go unnoticed when embedded into a software package.

All of the following were observed in action when looking at Marstech1:

• Control flow flattening & self-invoking functions

• Random variable and function names

• Base64 string encoding

• Anti-debugging (anti-tampering checks)

• Splitting and recombining strings

A small selection of the implant's components use alternative methods such as Base85 encoding and XOR decryption to hide their true purposes.

Ryan Sherstobitoff, SVP of threat research and intelligence at SecurityScorecard, said: "Operation Marstech Mayhem exposes a critical evolution in the Lazarus Group's supply chain attacks, demonstrating not only their commitment to operational stealth but also significant adaptability in implant development.

"The introduction of the Marstech1 implant, with its layered obfuscation techniques – from control flow flattening and dynamic variable renaming in JavaScript to multi-stage XOR decryption in Python – underscores the threat actor's sophisticated approach to avoiding both static and dynamic analysis."

The campaign was first spotted in December 2024 with the C2 server hosted on Stark Industries, a hosting provider spun up around the time of Russia's invasion of Ukraine. Its services are known to be used by various cybercriminal outfits.

SecurityScorecard also traced the embedding of the implant to a GitHub account called SuccessFriend, which researchers linked to Lazarus itself. It had been active since July 2024, committing genuine code to a number of different projects, but started actively developing malware in November.

• Arizona laptop farmer pleads guilty for funneling $17M to Kim Jong Un
• Ransomware isn't always about the money: Government spies have objectives, too
• Crimelords and spies for rogue states are working together, says Google
• I'm a security expert, and I almost fell for a North Korea-style deepfake job applicant …Twice

The vendor said it was last active two weeks ago but at the time of writing, it seems GitHub nuked the account.

Speaking to The Register via email, Sherstobitoff said North Korea was targeting Web3 projects, mainly those using the NPM registry.

"Because Lazarus is pushing modified code into the NPM registry, anyone can typically run it and become compromised. This makes it even more dangerous when they 'poison' the supply chain," he said.

Sherstobitoff didn't respond to specific questions about the packages, such as how popular they were or how easy they were to locate.

"In summary, the findings of Operation Marstech Mayhem serve as a stark reminder that the landscape of cyber threats is rapidly evolving," he said.

"It is imperative for organizations and developers to adopt proactive security measures, continuously monitor supply chain activities, and integrate advanced threat intelligence solutions to mitigate the risk of sophisticated implant-based attacks orchestrated by threat actors like the Lazarus Group."

Crafty cousin

Microsoft also recently released some fresh intel on North Korea's activity. In this case, it's related to another of the country's offensive cyber teams, Kimsuky.

It detailed a new tactic that involves posing as a South Korean government official, building rapport with a victim over time, and eventually convincing them to run PowerShell as admin and execute harmful code.

The trick involves sending victims a PDF via email that directs them to a URL with instructions on how to register their device in order to read it. Those instructions tell the victim to launch PowerShell and execute the code.

"If the target runs the code as an administrator, the code downloads and installs a browser-based remote desktop tool, [and] downloads a certificate file with a hardcoded PIN from a remote server," Microsoft said.

The victim's device is then registered with the server and Kimsuky can start lifting data from the machine.

Microsoft has not yet specified who has fallen victim to this attack, and although only a limited number of attacks have been spotted since January 2025, the group's typical hit list includes people working in international affairs related to Northeast Asia, NGOs, and media organizations across the world. ®