North Korean Hackers Infiltrate GitHub & NPM to Steal Crypto

Cybersecurity researchers from STRIKE’s SecurityScorecard found that hackers are using advanced methods in their latest tactics.

Dubbed Operation Marstech Mayhem, the campaign introduces malware embedded in open-source GitHub repositories and npm (Node Package Manager) packages.

This attack differs from previous ones because it uses stealthy techniques that make detection significantly harder.

How the Attack Works

Developers are the main targets of Lazarus's operations. The attack works as follows: First, attackers create fake repositories containing malicious code, then promote them on social media platforms like Discord and GitHub.

When a victim clones and runs the repository, the malware executes in the background, giving attackers access to the system for further exploitation.

During the investigation, STRIKE confirmed that 233 victims were affected across the U.S., Europe, and Asia. Researchers warn that this number is expected to grow due to the widespread use of open-source packages.

The Marstech implant, which researchers believe first appeared in December 2024, has been linked to the GitHub profile “Success Friend”, which STRIKE suspects belongs to the Lazarus threat group. 

Crypto and Blockchain in the Focus of Lazarus Group

STRIKE identified an account linked to the attack, which listed web development skills and blockchain learning in its bio – a pattern consistent with Lazarus Group tactics.

The “SuccessFriend” profile was created in July 2024 and initially contributed legitimate code to gain credibility. However, in November 2024, the profile started publishing repositories connected to the recent operation.

STRIKE’s analysis showed that the group targets crypto wallets, including MetaMask, Exodus, and Atomic, across Linux, macOS, and Windows operating systems. The implant scans the system to find crypto wallets, read file contents, and extract metadata.

It targets wallet directories, extracts private keys, and sends them to the C2 server. Additionally, the implant can modify browser configuration files to inject stealthy payloads that can intercept transactions.

– they explain.

The malware collects and extracts data to steal sensitive information from the targeted folder. It contains anti-analysis code and techniques that make it difficult for analysts to understand and debug the malware.

Related: North Korean Hackers — Not So Great at Trading After All?

The Crypto Sector Needs to Stay Alert

In 2024, hackers stole $2.2 billion across 303 crypto breaches, with North Korean groups behind several major attacks. Governments and organizations are stepping up their efforts to fight back. In December 2024, South Korea hit individuals and companies linked to crypto theft with sanctions.

Research from STRIKE shows that hackers are constantly changing their tactics. They’re exploiting GitHub, posting fake job listings, and using all sorts of tricks to spread malware.

To stay safe, make sure to follow security best practices, stay updated on cyber threats, and double-check open-source code before using it.

Watch out for random messages pushing you to use certain packages – social engineering is a go-to trick for hackers. Keep an eye on your network activity too, since unusual outbound traffic could mean someone’s stealing your data.

Related: WhiteBIT Freezes $150M in Stolen Crypto: Here’s How