Lazarus Adds New Malicious npm Using Hexadecimal String Encoding to Evade Detection Systems

North Korean state-sponsored threat actors associated with the Lazarus Group have intensified their Contagious Interview campaign by deploying novel malicious npm packages leveraging hexadecimal string encoding to bypass detection mechanisms.

These packages deliver BeaverTail infostealers and remote access trojan (RAT) loaders, targeting developers to exfiltrate credentials, financial data, and cryptocurrency wallets.

SecurityScorecard researchers identified 11 new packages with over 5,600 cumulative downloads, linking infrastructure and tactics to known Lazarus operations.

Campaign Expansion Through Multi-Platform Repositories

The threat actors created npm accounts taras_lakhai, mvitalii, wishorn, and crouch626 to disseminate malicious packages like twitterapis and dev-debugger-vite.

These packages masqueraded as utilities for API handling, logging, and debugging while establishing connections to command-and-control (C2) servers at 45.61.151[.]71:1224 and 185.153.182[.]241:1224[1].

Shared infrastructure between accounts, such as the use of identical IP-port combinations, confirms coordinated Lazarus activity.

Notably, the group expanded its repository footprint to ...