North Korean state-backed hackers have planted malicious code in open-source software repositories as part of an ongoing campaign that has already put tens of thousands of developers at risk of surveillance and data theft, according to new research. In its latest operation, Lazarus took advantage of major gaps in the open-source software supply chain — like developers depending on unvetted packages and the lack of oversight for popular tools that are often maintained by just one or two people. The campaign reflects an evolution in tactics by Lazarus, a North Korean state-backed hacking group that has been linked to the world’s largest cryptocurrency heists, including a $1.4 billion theft from Dubai-based Bybit earlier this year. Between January and July, cybersecurity firm Sonatype said it blocked 234 malicious packages uploaded to the widely-used npm and PyPI code repositories and linked to the campaign. More than 90 of the packages were built to steal secrets and credentials, while over 120 served as droppers to deliver additional malware, suggesting a broader strategy focused on long-term network infiltration and persistence, rather than quick financial gain, researchers said. Many of the malicious packages used typosquatting and brand impersonation tactics, mimicking well-known libraries or company tools to fool developers and automated systems into downloading them. Once installed, the malicious packages deploy a range of spying tools — including a clipboard stealer, keylogger, screenshot utility and credential harvester. The packages, which impersonated legitimate developer tools, were designed to steal credentials, profile victims’ devices and plant backdoors. While historically focused on financial theft, Lazarus has shifted its operations toward espionage and covert access to critical infrastructure, Sonatype said.
This Cyber News was published on therecord.media. Publication date: Thu, 31 Jul 2025 14:45:12 +0000