Lazarus Data Harvesting: Straight Out of (Mars)tech

North Korea’s Lazarus Group has unleashed Marstech1, a stealthy JavaScript implant targeting developers and cryptocurrency projects via GitHub repositories and NPM packages. Once executed, it harvests system data, modifies browser extensions, and steals credentials from cryptocurrency wallets, posing a severe supply chain risk.

Developers and Crypto Firms Are at Risk

The attack has affected 233 confirmed victims across the U.S., Europe, and Asia, focusing on developers and cryptocurrency projects. Lazarus injects malicious JavaScript into open-source code, leveraging trusted repositories and package managers to manipulate browser settings and extract sensitive data without detection.

By embedding itself in widely used development tools, Marstech1 exploits the trust of software engineers, blockchain developers, and financial tech firms, silently siphoning off critical data. This tactic allows attackers to compromise not just individuals but entire ecosystems, spreading malware across supply chains.

Browsers Laced with Venom

Once installed, Marstech1 scans Chromium-based browsers, specifically MetaMask, Exodus, and Atomic wallets, altering configurations and exfiltrating credentials to its command-and-control (C2) servers. The implant is also capable of downloading additional payloads, allowing attackers to expand their foothold and conduct long-term espionage.

The malware employs advanced obfuscation techniques, such as multi-stage XOR decryption, control flow flattening, and dynamic variable renaming, making it difficult for traditional security tools to detect. This sophistication reinforces Lazarus Group’s reputation for state-sponsored cyber espionage.

Back to Earth: Strengthening Defenses

With Lazarus leveraging open-source repositories to distribute malware, developers and organizations must adopt proactive cybersecurity measures to mitigate risks:

• Verify all open-source dependencies before integration into projects.

• Restrict JavaScript execution and monitor script activity within development environments.

• Conduct frequent security audits on GitHub repositories and NPM packages.

• Implement endpoint protection solutions to detect and block malicious scripts.

• Isolate critical development environments to prevent cross-infection.

By tightening security across software supply chains, companies and developers can prevent Lazarus from turning their own tools against them. The Marstech1 campaign is a reminder that even trusted platforms can be weaponized, making constant vigilance and robust cybersecurity defenses essential.

https://thehackernews.com/2025/02/lazarus-group-deploys-marstech1.html?m=1