The post North Korean “Laptop Farms” Infiltrated 70 U.S. Companies appeared first on Daily CyberSecurity.

A pair of tightly executed cyberattacks have become milestones in cryptocurrency theft in 2026 due to their sheer size. These two incidents, targeting Drift Protocol and KelpDAO, account for roughly three quarters of all recorded crypto losses through April, revealing a shift toward fewer, higher-dollar operations. Based on a report from TRM Labs, security researchers..

The post North Korea’s Enormous Crypto Hacks Redefine Scale and Strategy appeared first on Security Boulevard.

The post The Malware Factory: Unmasking the 108-Package North Korean Siege on npm appeared first on Daily CyberSecurity.

North Korea-linked Lazarus Group stole $290M from Kelp DAO by abusing LayerZero. A second $95M attempt was stopped.

Hackers tied to the North-Korea linked group Lazarus APT carried out a $290M crypto theft targeting Kelp DAO.

Earlier today we identified suspicious cross-chain activity involving rsETH. We have paused rsETH contracts across mainnet and several L2s while we investigate.

We are working with @LayerZero_Core, @unichain, our auditors and top security experts on RCA.

We will keep you…

— Kelp (@KelpDAO) April 18, 2026

Kelp DAO is a decentralized finance (DeFi) protocol built on the Ethereum ecosystem that focuses on a concept called liquid restaking. In simple terms, it lets users earn more rewards from their crypto without locking it up.

Attackers manipulated LayerZero infrastructure, forcing systems to rely on compromised nodes, then issued a malicious command to drain funds.

This is one of the biggest DeFi hacks of 2026

Here’s what just happened:

Kelp DAO’s rsETH bridge got exploited through LayerZero.

Around 116,500 rsETH was drained.

That’s $293M gone in minutes.

Main drain transaction:… pic.twitter.com/9ZfHqUUsWN

— StarPlatinum (@StarPlatinum_) April 18, 2026

After the breach, the platform froze activity and blocked wallets, stopping a second attempted theft worth about $95M.

“Kelp detected the anomaly, paused all relevant contracts on Ethereum mainnet and L2s, blacklisted all wallets associated with the exploiter, and engaged SEAL-911.” wrote Kelp. “A subsequent attempt by the exploiter, leveraging a falsely verified phantom packet to target an additional 40,000 rsETH (~$95M), was fully mitigated by these interventions.”

Kelp DAO lets users deposit ETH, restake it via EigenLayer, and receive rsETH to earn extra rewards. It relies on LayerZero to verify transactions across chains. The attack didn’t exploit the core protocol but targeted the verification layer.

LayerZero checks transactions using multiple servers (RPCs). Attackers hacked two of them and used them to send fake but valid-looking messages.

“On April 18, 2026, LayerZero Labs’ DVN became the target of a highly sophisticated attack, likely attributable to the Lazarus Group, more specifically TraderTraitor. The attack was specifically engineered to manipulate or poison downstream RPC infrastructure by compromising a quorum of the RPCs the LayerZero Labs DVN relied upon to verify transactions. It was not done through an exploit to the protocol, DVN, key management or other means.” reports LayerZero. “Rather, the attacker was able to gain access to the list of RPCs our DVN uses, compromise two of them – which were independent nodes running on separate clusters without direct connection to each other – and swap out binaries running the op-geth nodes. Because of our least-privilege principles, they were unable to compromise the actual DVN instances. However, they used this pivot point to execute an RPC-spoofing attack.”

Then they launched a DDoS attack on the remaining servers, forcing the system to rely on the compromised ones. This allowed malicious transactions to pass. The root cause was Kelp DAO’s insecure “1-of-1” verifier setup, meaning only one DVN checked transactions. This created a single point of failure. Best practice requires multiple independent verifiers, which would have blocked the attack even if one node was compromised.

LayerZero reported that the breach only affected its rsETH setup and did not spread to other apps, thanks to LayerZero’s modular design.

LayerZero confirmed its infrastructure and protocol worked as designed, isolating the damage. The incident highlights a new type of state-level attack targeting off-chain components like RPCs, rather than core blockchain systems. After the breach, compromised nodes were replaced, and stronger multi-verifier configurations are now being enforced to prevent similar attacks.

LayerZero says the hack could have been avoided if Kelp DAO had used multiple verifiers (multi-DVN), the industry standard.

“Industry best practice — and LayerZero’s express recommendation to all integrators — is to configure a multi-DVN setup with diversity and redundancy. This means no single DVN should represent a unilateral point of trust or failure.” continues the LayerZero’s statement. “Operating a single-point-of-failure configuration meant there was no independent verifier to catch and reject a forged message. LayerZero and other external parties previously communicated best practices around DVN diversification to KelpDAO. Despite these recommendations, KelpDAO chose to utilize a 1/1 DVN configuration.”

Kelp DAO refused accusation, saying it followed its default setup and didn’t manage the compromised infrastructure. It’s now focused on limiting damage, with partners like Arbitrum Security Council freezing funds. The impact spread across DeFi, with Aave losing nearly $8B in value.

“Kelp’s priority is our users and preventing contagion across DeFi. We are working with all ecosystem partners to analyse the impact, rally support, and explore all avenues of mitigation.” concludes Kelp. “We are concurrently assessing the potential next steps regarding protocol unpausing, impact assessment, and the way forward, and working with Aave, LZ, and all other key stakeholders.”

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Lazarus APT)

The post Beyond Gatekeeper: How Sapphire Sleet’s AppleScript Trap Hijacks macOS and Crypto Wallets appeared first on Daily CyberSecurity.

The post The “Laptop Farm” Fallout: Two NJ Men Sentenced for Facilitating $5M North Korean Work Scheme appeared first on Daily CyberSecurity.

The post The Invisible Patch: How PolinRider Rewrites Git History to Hide North Korean Malware appeared first on Daily CyberSecurity.

The post The “Graphalgo” Evolution: How North Korea Built a Fake Florida LLC to Hack Developers appeared first on Daily CyberSecurity.

OpenAI rotates macOS certificates after downloading a compromised Axios version, urging users to update apps before revoked certificates are blocked in May 2026.

The post North Korea’s “Portfolio Model” Shatters Modern Attribution appeared first on Daily CyberSecurity.

The post North Korean Hackers Pivot to AI: New npm Malware Targets Cursor, Claude, and Gemini Tokens appeared first on Daily CyberSecurity.

The post North Korean State Actors Linked to Massive $285 Million Drift Protocol Heist appeared first on Daily CyberSecurity.

DPRK-linked hackers use GitHub C2s, starting attacks via phishing LNK files that drop a PDF and PowerShell script in South Korea.

North Korea-linked threat actors target South Korean organizations using GitHub as C2 servers. The attack chain starts with phishing emails carrying obfuscated LNK files that drop a decoy PDF and a PowerShell script to advance the intrusion.

“FortiGuard Labs recently detected a series of LNK files targeting users in South Korea. These attacks use a multi-stage scripting process and leverage GitHub as Command and Control (C2) infrastructure to evade detection.” reads the report published by FortiGuard Labs. “Although these LNK files can be traced back to 2024, earlier versions had less obfuscation and contained significant metadata, allowing us to track similar attacks spreading the XenoRAT malware.”

The attacker recently changed tactics, embedding decoding functions and encoded payloads directly in LNK files. Decoy PDF titles show a focus on targeting companies in South Korea to expand surveillance.

Attackers use LNK files with embedded scripts to launch PowerShell commands from GitHub. Early versions hid C2 data with simple obfuscation, while later ones added decoding functions and shared metadata like “Hangul Document.” In recent attacks, they removed metadata and used encoded payloads. The LNK drops a decoy PDF to distract victims while the malicious script runs silently.

“In the latest attacks, the threat actor has removed this identifying metadata, leaving only a decoding function within the arguments.” reads the report published by FortiGuard Labs. “This function p1 takes three parameters: location, length, and an XOR key. It first defines a path to drop the decoy PDF, then decodes both the PDF and a PowerShell script for the next stage of the attack.”

The PowerShell script runs checks to detect analysis tools and stops if it finds them, helping attackers to remain under the radar. It then decodes payloads, stores them in temporary folders, and creates persistence using a scheduled task that runs silently.

The script collects system details and sends them to GitHub using hidden repositories.

Attackers rely on multiple accounts, both active and dormant, to manage operations and avoid detection while continuing data exfiltration.

“Our investigation into this GitHub account, motoralis, reveals consistent activity dating back to 2025, which matches our threat-hunting results on earlier LNK file variants. Other activities involve multiple GitHub accounts in similar attacks, including God0808RAMA, Pigresy80, entire73, pandora0009, and brandonleeodd93-blip.” continued the report. “A broader analysis of the attacker’s infrastructure reveals a strategic use of both dormant and active accounts. While some accounts, like entire73, remain largely inactive for months, others, like brandonleeodd93-blip, were activated just weeks ago to provide immediate redundancy. The motoralis account functions as the primary operational hub, showing a surge in private repository contributions that closely align with the recent spike in LNK-based phishing lures. By conducting all activity within private repositories, the threat actor effectively conceals their malicious payloads and exfiltrated logs from public view while leveraging the high reputation of the GitHub domain to stay under the radar of corporate security filters.”

In the final stage, the script keeps a stable link with the C2 by regularly pulling commands from GitHub. It uses scheduled tasks to stay active and let attackers run actions remotely.

“We identified a “keep-alive” script used by the attacker to stay visible. This script specifically gathers network configuration details and uploads them to GitHub using the PUT method. The logs are stored at: hxxps://api[.]github[.]com/repos/motoralis/singled/contents/jjyun/network/<Date>_<Time>-<IP_Address>-Real.log.” continues the report. “This automated check-in allows the threat actor to monitor the victim’s network status in real-time, enabling further actions or more in-depth exploitation within the compromised environment.”

A keep-alive script collects network details and uploads logs to GitHub, allowing real-time monitoring and further exploitation of the compromised system.

This campaign relies on strong social engineering and multiple phishing lures. Instead of complex malware, the attacker uses built-in Windows tools and LolBins to stay stealthy and reduce detection.

They abuse GitHub as C2, hiding malicious traffic in normal encrypted connections. Since many networks trust GitHub, data exfiltration often goes unnoticed. This mix of legit tools and services makes detection difficult, so monitoring unusual scripting activity is key.

“This combination of legitimate tools and trusted web services creates a highly effective infection chain. To stay protected, users should stay alert against untrusted documents and monitor for unusual PowerShell or VBScript activity in their environments.” concludes the report.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, North Korea)

North Korean hackers (UNC4736) posed as a trading firm for six months to infiltrate Drift Protocol, using social engineering tactics to steal $285M without suspicion.

North Korean group UNC1069 targets Node.js maintainers using fake LinkedIn and Slack profiles to spread malware and compromise open source packages.

Drift lost $285M in a sophisticated attack, likely by North Korea, who used nonce-based tricks to gain control and quickly drain funds

Drift suffered a $285 million cryptocurrency heist in a highly sophisticated attack likely linked to North Korea. Threat actors used durable nonce accounts to pre-sign and delay transactions, while also compromising multisig approvals to gain admin control.

“This was a highly sophisticated operation that appears to have involved multi-week preparation and staged execution, including the use of durable nonce accounts to pre-sign transactions that delayed execution.” wrote the Solana-based decentralized exchange on X.

Earlier today, a malicious actor gained unauthorized access to Drift Protocol through a novel attack involving durable nonces, resulting in a rapid takeover of Drift’s Security Council administrative powers.

This was a highly sophisticated operation that appears to have involved…

— Drift (@DriftProtocol) April 2, 2026

They prepared for the operation days in advance, setting up wallets and testing transactions before draining funds from multiple vaults within seconds and laundering them across wallets. Drift notified law enforcement and is now working with security firms and exchanges to trace and freeze the stolen assets.

Drift Protocol is coordinating with multiple security firms to determine the cause of the incident. Drift is also working with bridges, exchanges, and law enforcement to trace and freeze stolen assets. We would welcome any information or help pertaining to the investigation at…

— Drift (@DriftProtocol) April 2, 2026

Solana-based decentralized exchange Drift has confirmed that attackers drained about $285 million from the platform during a security incident that took place on April 1, 2026.

The timeline shows a carefully staged attack. On March 23, durable nonce accounts were set up, with at least 2 of 5 multisig signers unknowingly approving transactions, enabling delayed execution. On March 27, Drift migrated its Security Council. By March 30, new nonce activity suggests the attacker regained access to 2 of 5 signers in the updated multisig, maintaining control ahead of the exploit.

On April 1, the attack entered its execution phase. It began with a legitimate test withdrawal by Drift. About a minute later, the attacker used pre-signed durable nonce transactions to take control, creating, approving, and executing a malicious admin transfer, enabling the takeover.

Blockchain cybersecurity firm Elliptic found strong signs linking the $286M Drift Protocol exploit to North Korea (DPRK), based on attack behavior and laundering methods. If confirmed, it would be the 18th DPRK-linked crypto theft this year, with over $300M stolen.

“Elliptic has identified multiple indicators suggesting that the exploit of Drift Protocol is linked to the Democratic People’s Republic of Korea (DPRK).” reads the report published by Elliptic.

Such attacks are tied to funding weapons programs, with over $6.5B stolen in recent years. The incident reflects growing DPRK activity, including recent supply chain attacks like the Axios npm compromise.

According to Elliptic, the Drift attack unfolded rapidly, with attackers draining most funds within an hour after allegedly compromising admin private keys. They targeted key vaults, stealing assets including $155M in JLP tokens and other cryptocurrencies. Drift’s TVL dropped from $550M to under $250M, making it 2026’s largest DeFi hack so far.

The attacker prepared in advance, creating a wallet days earlier and testing access. Stolen funds were quickly swapped to USDC, then moved to Ethereum and converted to ETH. Drift halted operations and is working to contain the incident.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Drift)

Researchers from FortiGuard Labs have uncovered a high-severity spying campaign targeting South Korean companies. Discover how North Korean…

Google links the Axios npm supply chain attack to North Korean threat group UNC1069, targeting financial gain.

Google has attributed the recent Axios npm supply chain compromise to a North Korean threat group tracked as UNC1069. The attack, aimed at financial gain, exploited the package to target developers and organizations relying on Axios.

John Hultquist of Google Threat Intelligence confirmed the attribution, highlighting the group’s growing activity in supply chain attacks.

“GTIG attributes this activity to UNC1069, a financially motivated North Korea-nexus threat actor active since at least 2018, based on the use of WAVESHAPER.V2, an updated version of WAVESHAPER previously used by this threat actor. Further, analysis of infrastructure artifacts used in this attack shows overlaps with infrastructure used by UNC1069 in past activities.” reads the analysis by Google Threat Intelligence Group. “Analysis of the C2 infrastructure (sfrclak[.]com resolving to 142.11.206.73) revealed connections from a specific AstrillVPN node previously used by UNC1069. Additionally, adjacent infrastructure hosted on the same ASN has been historically linked to UNC1069 operations.”

Threat actors compromised the npm account of Axios, a widely used library with over 100M weekly downloads. They published malicious versions to spread remote access trojans across Linux, Windows, and macOS. Multiple security firms identified the supply chain attack after the rogue updates appeared in the npm registry.

Malicious versions of Axios (1.14.1 and 0.30.4) were published within an hour without OIDC verification or matching GitHub commits, raising immediate red flags. Researchers believe attackers compromised maintainer Jason Saayman’s npm account.

“Anyone who installed either version before the takedown should assume their system is compromised. The malicious versions inject a dependency (plain-crypto-js) that deploys a cross-platform remote access trojan targeting macOS, Windows, and Linux.” read the report published by Aikido Security.

The impact is unclear, but given Axios’ ~400M monthly downloads, many downstream projects may have been exposed during the brief attack window.

Socket researchers reported that a malicious package called plain-crypto-js@4.2.1 was published and detected within minutes, likely as part of a coordinated attack targeting Axios. Attackers inserted this dependency into two compromised Axios versions, allowing malware to spread through a trusted library used by millions of projects. Because many developers rely on automatic updates, affected versions could be installed without notice.

The malicious code was designed to stay hidden. It used obfuscation techniques to avoid detection and ran automatically during installation through a post-install script. Once executed, it checked the operating system (Windows, macOS, or Linux) and downloaded a second-stage payload tailored to each platform. In the case of macOS, researchers confirmed the delivery of a fully functional remote access trojan (RAT) capable of collecting system information, communicating with a command-and-control server, and executing commands.

“Security researcher Joe Desimone from Elastic Security captured and reverse-engineered the macOS second-stage binary before the C2 went offline. The payload is a fully functional remote access trojan written in C++.” reads the report published by Socket.

To avoid being discovered, the malware removed its own traces after running. It deleted installation files and restored clean-looking package content, making the infected library appear normal. The experts believe the attack was possible due to the compromise of a maintainer account, enabling unauthorized publishing of malicious updates.

Google’s Threat Intelligence Group (GTIG) and other researchers attribute the Axios npm supply chain attack to North Korean threat actor UNC1069, which has been active since at least 2023. SentinelOne previously observed the group using macOS malware, including attacks on a cryptocurrency firm with fake Zoom campaigns. Malware used in Axios mirrors WAVESHAPER, a strain tied to North Korean operations. Hultquist emphasized the group’s expertise in supply chain attacks and cryptocurrency theft.

WAVESHAPER.V2 is a versatile backdoor used by UNC1069, targeting macOS, Windows, and other environments via C++, PowerShell, or Python. It beacons to C2 every 60 seconds with Base64-encoded JSON, using a hardcoded User-Agent, then waits for commands. Capabilities include reconnaissance (system info, running processes), directory enumeration, script execution, and PE injection. On Windows, it persists via a hidden batch file and registry entry, acting as a full RAT with remote command execution and file system access.

“North Korea-linked threat actors “have deep experience with supply chain attacks, which they’ve historically used to steal cryptocurrency.”

“The full breadth of this incident is still unclear, but given the popularity of the compromised package, we expect it will have far reaching impacts,” Hultquist said. 

“North Korean hackers have deep experience with supply chain attacks, which they’ve historically used to steal cryptocurrency. The full breadth of this incident is still unclear, but given the popularity of the compromised package, we expect it will have far reaching impacts.”

“The impact of this attack by North Korea-nexus actors is broad and has ripple effects as other popular packages rely on axios as a dependency. Notably, UNC1069 isn’t the only threat actor that has launched successful open source supply chain attacks in recent weeks. UNC6780 (also known as TeamPCP) recently poisoned GitHub Actions and PyPI packages associated with projects like Trivy, Checkmarx, and LiteLLM to deploy the SANDCLOCK credential stealer and facilitate follow-on extortion operations.” concludes Google. “Hundreds of thousands of stolen secrets could potentially be circulating as a result of these recent attacks. This could enable further software supply chain attacks, software as a service (SaaS) environment compromises (leading to downstream customer compromises), ransomware and extortion events, and cryptocurrency theft over the near term. “

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Axios)

The post Takedown-Proof: Inside the Ethereum-Powered “EtherRAT” and North Korea’s New Blockchain Backdoor appeared first on Daily CyberSecurity.

The post 183 Million Targets: Inside the North Korean Supply Chain Strike on Axios and the WAVESHAPER Backdoor appeared first on Daily CyberSecurity.