************* 이하로는 지면에서 끊어주셔도 됩니다.
North Korea-linked hackers used fake coding tools to break into software developers’ computers, a tactic that could give them access not only to individual machines but also to the software projects and company systems those developers work on, a US software security firm said.
JFrog Security Research, a Silicon Valley-based software security firm, said it discovered six malicious packages uploaded to npm, a widely used online code library where millions of JavaScript developers download ready-made tools for software projects.
The packages were designed to resemble legitimate JavaScript tools and closely impersonated rollup-plugin-polyfill-node, a widely used package with about 295,000 weekly downloads. Once activated, the malware could steal passwords, cryptocurrency wallet data and sensitive files, according to JFrog’s June 30 report.
In a post on its website titled “Lazarus-Linked npm Malware Masquerades as Rollup Polyfills,” JFrog said its security research team had identified a cluster of malicious npm packages masquerading as Rollup polyfill tooling. Lazarus Group, also known as APT38, is a notorious Advanced Persistent Threat entity believed to be linked to North Korean hackers.
“We observed the same staging pattern with react-icon-svgs, which installed rollup-plugin-polyfill-connect as a second stage. This layered structure, together with the lookalike names, legitimate-looking metadata, hidden install-time execution, environment checks, and credential-theft/remote-access payloads, is similar to previous North Korean Lazarus-linked npm campaigns,” the firm explained.
Researchers said the attackers replicated nearly every aspect of the legitimate project, including its README documentation, repository metadata, homepage links and package structure, making the malicious packages appear authentic even under close inspection.
Rather than relying on simple typographical errors, the hackers published similarly branded packages such as rollup-packages-polyfill-core and rollup-runtime-polyfill-core, making them appear to be legitimate extensions of the original software.
JFrog attributed the campaign to Lazarus-linked threat actors based on overlaps in tactics, techniques and tooling observed in previous North Korean operations. The researchers said the malware’s remote-control capabilities and other technical characteristics closely matched those seen in previous Lazarus campaigns.
Unlike many previous software supply chain attacks, the malware was designed to execute when developers imported the package into a project rather than during installation. Researchers said the technique allows it to bypass npm v12’s new security protections, which block malicious install-time scripts but not code that runs after a package is imported.
JFrog said the malware also used a multi-stage infection process to evade detection. Once activated on a developer’s computer, it could give attackers remote control of the machine, steal credentials stored in browsers, cryptocurrency wallets, cloud accounts and developer tools, and collect sensitive files and clipboard contents. Before launching the attack, it first checked whether it was running in a sandbox or other security analysis environment, remaining dormant if such conditions were detected.
The report also found that the latest operation overlaps with malware families known as BeaverTail and OtterCookie, both previously linked to North Korean campaigns targeting software developers. Earlier this year, security firm Panther documented more than 100 malicious npm packages attributed to North Korean actors, suggesting the latest campaign represents a continued evolution rather than an isolated incident.
All six malicious packages have since been removed from the npm registry.
Lazarus, which Washington says operates under North Korea’s Reconnaissance General Bureau, has increasingly targeted software developers and cryptocurrency infrastructure as Pyongyang seeks new sources of illicit revenue. US authorities have repeatedly said proceeds from such cyber operations help finance the country’s nuclear weapons and ballistic missile programs.
The findings add to growing concern over North Korea’s cyber operations.
In a report released last week, blockchain analytics firm TRM Labs estimated that North Korean hackers stole $643 million in digital assets in the first half of this year, accounting for 66 percent of global cryptocurrency losses from hacking during the period.
*************************************************************************************
Although the total was down from the $1.7 billion attributed to North Korea in the first half of last year, it remained the largest haul by any threat actor.
TRM attributed two of the largest cryptocurrency thefts this year to the Lazarus Group, the North Korean hacking organization believed to operate under the country’s Reconnaissance General Bureau. The group allegedly stole $285 million from the decentralized finance platform Drift and another $292 million from Kelp DAO, an Ethereum-based DeFi protocol.
North Korea’s cryptocurrency thefts have risen sharply in recent years. According to blockchain analytics firm Chainalysis, North Korean hackers stole about $660 million in 2023, $1.34 billion in 2024 and $2.02 billion in 2025, bringing cumulative losses over the three years to roughly $6.75 billion.
During the fifth South Korea-US-Japan working group meeting on North Korean cyber threats held in Washington on June 25-26, a US State Department spokesperson warned that Pyongyang has increasingly turned to cybercrime to evade international sanctions and finance its illicit weapons of mass destruction and ballistic missile programs, with cryptocurrency theft and money laundering becoming a key source of funding.
mkjung@heraldcorp.com
Click Here For The Original Source.
