An investigation from Sonatype has exposed a cyber-espionage campaign by North Korea’s infamous Lazarus Group, this time targeting the tools developers rely on every day.
Between January and July 2025, Sonatype blocked 234 unique malware-laden packages across the npm and PyPI ecosystems; a calculated assault on the trust that underpins open-source software.
Disguised as popular developer utilities, these poisoned packages carried espionage implants designed to exfiltrate credentials, profile systems, and establish long-term backdoors. At last count, the campaign may have reached over 36,000 victims, and it’s still ongoing.
“Open source has become the new attack surface,” Sonatype warns. “It’s not just about code anymore. It’s about control.”
Nation-State Espionage in Your Dev Tools
The Lazarus Group, a long-standing arm of North Korea’s Reconnaissance General Bureau, has spent more than a decade honing its capabilities, from the Sony Pictures hack in 2014 to the WannaCry outbreak in 2017.
In 2025 alone, the group was linked to the $1.5 billion ByBit crypto theft. But recent activity suggests a strategic shift: from high-profile disruption to quiet, persistent infiltration.
And this time, they’re hiding in plain sight.
By injecting malware directly into open-source package registries, Lazarus is exploiting some hard truths about modern software development:
- Most developers install packages without verification.
- CI/CD pipelines often propagate dependencies unchecked.
- Popular libraries may be maintained by just one or two volunteers.
- Developer environments contain API keys, tokens, and other secrets.
- Malicious code can sit dormant, until it doesn’t.
It’s not just that developers are being targeted; their everyday workflows are being weaponized.
234 Packages, One Global Supply Chain
According to Sonatype’s telemetry, the compromised packages aped legitimate tools, sometimes by cloning known libraries with near-identical names, sometimes by impersonating trusted maintainers. The malware they delivered was precise, modular, and designed for stealth.
Once installed, the implants quietly collected information and opened covert channels back to C2. The goal wasn’t a quick hit, but long-term access, the kind that allows adversaries to watch, learn, and wait for the right moment.
This isn’t the first time bad actors have targeted package registries, but the scale and sophistication of the Lazarus campaign ups the ante. It is a deliberate push into the heart of global software supply chains, where the line between trust and compromise is already wobbly.
Sonatype Issues a Warning
Sonatype warns that this is not a one-time event, it’s part of a trend. It’s a persistent threat that is not going away.
Sonatype’s full whitepaper, “How North Korea-Backed Lazarus Group Is Weaponizing Open Source”, provides a technical breakdown of the malware variants, the evolving tactics used by Lazarus, and guidance on how entities can defend themselves.
Exploiting Trust
Mike McGuire, senior software solutions manager at Black Duck, says: “Threat actors continue to exploit the inherent trust that is placed in the open-source community. While the overwhelming majority of open source projects are legitimate, it only takes one malicious package to poison the well.”
According to him, the recommended reaction to news like this requires that security teams prioritise application security without compromise. “This includes conducting a thorough analysis of the open-source dependencies used in their applications, ensuring none of them are identified to be known malicious components, whether they’re part of this Lazarus Group campaign, or any other attacker’s efforts. However, the most effective approach in preventing exposure to these types of attacks is to proactively evaluate dependencies for risk before using them. “
Enable Policy Enforcement
McGuire says teams should stand up private, internal repositories of vetted open-source packages, which can block malicious or suspicious packages before they reach development environments.
“They should also enable policy enforcement that can help avoid installing packages with unclear authorship or a low number of downloads. These policies can also help teams automatically prioritise well-maintained components with verified histories and trigger review workflows for suspicious components. Finally, teams should generate and review SBOMs regularly. This helps detect unauthorised or compromised dependencies and ensures visibility across all direct and transitive components in the software supply chain.”
Information Security Buzz News Editor
Kirsten Doyle has been in the technology journalism and editing space for nearly 24 years, during which time she has developed a great love for all aspects of technology, as well as words themselves. Her experience spans B2B tech, with a lot of focus on cybersecurity, cloud, enterprise, digital transformation, and data centre. Her specialties are in news, thought leadership, features, white papers, and PR writing, and she is an experienced editor for both print and online publications.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.