North Korea’s Lazarus Group continues to infiltrate the npm ecosystem, deploying six new malicious packages designed to compromise developer environments, steal credentials, extract cryptocurrency data, and deploy a backdoor. The secondary payload (SHA256: 6a104f07ab6c5711b6bc8bf6ff956ab8cd597a388002a966e980c5ec9678b5b0 ) is downloaded under the filenames p.zi and extracted using tar -xf , following a multi-stage deployment strategy consistent with previous Lazarus campaigns that distributed the BeaverTail malware. Notably, the malware also targets cryptocurrency wallets, specifically extracting id.json from Solana and exodus.wallet from Exodus. In this campaign, Socket researchers uncovered BeaverTail malware embedded within seemingly benign packages — is-buffer-validator , event-handle-package , array-empty-validator , react-event-dependency , and auth-validator — each closely mirroring tactics previously documented in Lazarus (Contagious Interview) operations.