North Korea’s infamous Lazarus Group hackers are increasing their weaponisation of open-source software, according to a new Sonatype report. The state-sponsored hackers are hiding malicious code inside seemingly normal software packages to steal secrets from developers in advanced supply chain attacks.
Since the start of 2025, researchers have found 234 unique malicious packages linked to the group, potentially hitting over 36,000 victims. Instead of trying to break down the front door, Lazarus is getting invited inside through the software we all trust and use every day. The very foundation of community and trust that open-source is built on is being turned into a tool for state-sponsored hacking.
This isn’t a new trick, but a perfection of an old one, says Emilio Pinna, director at SecureFlag.
“This is not new. We saw it with SolarWinds, with Codecov, with the npm event stream compromise,” Pinna explained. “Attackers have learned that the easiest way into an organisation is not breaking in directly, but getting invited in through the software supply chain.”
The Lazarus Group, also known as Hidden Cobra to US intelligence, has a long and destructive history. They’re the crew behind the 2014 Sony Pictures hack, the attempted $1 billion heist from Bangladesh Bank, and the global WannaCry ransomware crisis. More recently, they were tied to the record-breaking $1.5 billion crypto theft from ByBit. Now, they’ve shifted from loud, disruptive attacks to quiet, long-term infiltration, and the software supply chain is their primary target.
Lazarus Group hackers teach a masterclass in deception
In their latest campaign targeting the npm and PyPI code registries, the group shows a high level of discipline, relying on a playbook of deception to fool developers. They impersonate popular software libraries using clever misspellings or by “brand-jacking” the names of trusted tools.
They’ve been caught spoofing tools like the winston logger and nodemailer. In one case, they created fake packages named servant and velocky that simply copied the description file from another popular tool, pinoto look like a legitimate spin-off.
“By poisoning npm and PyPI packages, they are targeting developers and CI/CD pipelines at the source,” notes Pinna. “Once malicious code enters a build system, it is essentially game over because those pipelines often hold the keys to production.”
Once a developer downloads a tainted package, a quiet, multi-stage attack begins.
First, a small script called a “dropper” calls home to a remote server to download the real malware. This helps the package slip past automated security scanners.
Next, a heavily disguised “loader” program is deployed. This loader checks to see if it’s inside a security analysis environment. If it suspects it’s being watched, it shuts down to avoid detection. If the coast is clear, it deploys several different malicious tools—each running as its own separate process so that if one is discovered, the others can keep working.
Mining for trust, not crypto
This campaign from the Lazarus Group hackers isn’t about hijacking computers for cryptomining; it’s about theft. The report found that over 90 of the packages were built to steal secrets like passwords, API tokens, and credentials.
“The shift from cryptomining to espionage should surprise no one,” Pinna adds. “Why waste compute power when you can steal credentials, plant remote shells, and quietly persist for months?”
Sonatype’s report puts it bluntly that the “stolen credentials are not the end goal. They are the key to unlocking the kingdom—gaining access to source code repositories, cloud infrastructure, and internal networks”.
The malicious tools deployed include clipboard stealers, password harvesters, and even keyloggers and screen-capture utilities for total surveillance.
Defending open-source code
This attack is a clear sign that open-source is the new frontline in cyber warfare, and developers are the soldiers. To fight back, companies need a layered defence.
What that means is using firewalls to block malicious packages before they get in, having stricter rules about what software can be installed, and regularly auditing what’s already in use. But tools aren’t a silver bullet; Pinna argues the real problem is cultural.
“We have allowed convenience to drive DevOps culture, and we pull in dependencies without thinking. CI/CD has become a trusted conveyor belt for untrusted code,” Pinna warned. “Until we treat the pipeline as a security-critical system with strict package allowlists, integrity verification, and meaningful monitoring, we will keep seeing nation states mining not cryptocurrency but trust.”
“Closing this gap will require more than tools; it will require hands-on security training for engineers and real threat modeling exercises for our pipelines so teams can anticipate these attacks before they happen.”
The Lazarus Group’s campaign is a reminder of how the trust our digital world is built on can be turned against us.
(Photo by Steve Barker)
See also: Developers adopt AI tools but question their accuracy
Want to learn more about cybersecurity and the cloud from industry leaders? Check out Cyber Security & Cloud Expo taking place in Amsterdam, California, and London. The comprehensive event is co-located with other leading events including Digital Transformation Week, IoT Tech Expo, Blockchain Expo, and AI & Big Data Expo.
Explore other upcoming enterprise technology events and webinars powered by TechForge here.
