March 26, 2025

The Lazarus Shift: Why Developer Security Is the New Frontline

The Lazarus Shift: Why Developer Security Is the New Frontline
The same group behind the Bybit theft is now targeting developers with malicious packages on npm. Just weeks ago, they pulled off the largest crypto heist in history, stealing $1.5 billion worth of Ethereum from the Bybit exchange. The hackers exploited a vulnerability in Bybit's cold wallet system, manipulating a routine transaction to transfer the funds to an unknown address. Despite efforts to trace and recover the stolen assets, a significant portion has already been laundered. But Lazarus isn't stopping there. They've now turned their attention to the developer community, sneaking harmful code into the npm ecosystem.

Researchers at Socket have discovered six new fake npm packages disguised as trustworthy libraries. These packages are designed to steal login credentials, collect cryptocurrency wallet data, and install backdoors that give attackers long-term access to a victim's system.

The fake packages include names like:

  • is-buffer-validator
  • yoojae-validator
  • event-handle-package
  • array-empty-validator
  • react-event-dependency
  • auth-validator

Each one mimics the name of popular and widely used packages to trick developers into installing them, a classic tactic known as typosquatting. Some even came with official-looking GitHub repositories to appear more legitimate.

Although these packages haven't been downloaded thousands of times (just over 300 total so far), their design shows a clear intention to infiltrate development environments quietly and efficiently. The malware inside them can search a computer for browser data, crypto wallet files, and other sensitive information, and then send that data to an external server.

Expert View: OnchainLabs CTO Pedro Barrera on the Bigger Picture

According to our CTO, Pedro, these attacks are part of a much larger and ongoing trend. “It’s not just Lazarus — many hacker groups are constantly spreading malware to gain control over systems,” he explains. “Once infected, your machine can be used for future attacks or to steal sensitive data without you knowing.”

Pedro emphasizes the importance of caution: “Personally, I never download anything if I can’t review the code. But in a company setting, that’s not always realistic. So we look for strong indicators of trust — like open-source repositories with many contributors and at least 10,000 GitHub stars. The more eyes on the code, the safer it likely is.”

He adds that full audits are ideal but often require time and resources. “If you can’t audit every line, rely on well-established projects backed by a strong community.”

Pedro also warns that relying too heavily on third-party code increases your exposure to risk:

"The more dependency code we use, the more chances we have to be hacked — that’s why we’re not using any of them.”

What Can You Do About It?

  • Double-check package names before installing anything from npm.
  • Stick to trusted sources and avoid libraries with few downloads or unknown maintainers.
  • Use tools like Socket’s GitHub app or CLI to scan your code for hidden threats.
  • Look for open-source packages with large communities and active contributors.

Make sure your team understands the risks of supply chain attacks and how to spot suspicious behavior.

Even as hackers get smarter, developers can stay ahead by being cautious and using the right tools. The best defense starts with awareness.

About the author
SoMe & Project Manager. The face behind our social accounts, shaping our digital voice and community.
Subscribe To Our Newsletter - Bnkly X Webflow Template

Subscribe to our newsletter

Get Exclusive Updates and Be the First to Know About Our Latest Innovations.

Thanks for joining our newsletter
Oops! Something went wrong while submitting the form.