How North Korea-Backed Lazarus Group Is Weaponizing Open Source to Target Developers

2025-07-31 • Sonatype •

https://www.sonatype.com/resources/whitepapers/how-lazarus-group-is-weaponizing-open-source

#NPM #PyPI #Lazarus

Attachments

How-North-Korea-Backed-Lazarus-Group-is-Weaponizing-Open-Source-Whitepaper.pdf (8 MB)

Thumbnail for How North Korea-Backed Lazarus Group Is Weaponizing Open Source to Target Developers

Sonatype reports that the North Korea-backed Lazarus Group is abusing open source package ecosystems as part of a strategic software supply-chain campaign. In the first half of 2025, Sonatype’s automated detection identified 234 unique malware packages in open source registries attributed to Lazarus and aimed at software engineers, CI/CD pipelines, and developer environments. The campaign uses npm and PyPI package trust to impersonate legitimate components and deliver multi-stage malware capable of clipboard stealing, credential harvesting, file theft, Windows keylogging, secret exfiltration, and longer-term access. The report highlights a shift toward compromising developer workflows and SDLC infrastructure rather than simply targeting end users or mining cryptocurrency.

Related Actors

Lazarus

Novetta

First seen: Feb 2016

Last seen: Jun 2026

Related Reports

2026-06-08 • 60% Match

Active Malware Campaigns in January-May 2026

OSM

#Trend #NPM #PyPI #ContagiousInterview #Lazarus #PolinRider #TasksJacker

Shares tags: NPM, PyPI, Lazarus

2026-06-03 • 56% Match

Lazarus Group's Latest: Brandjacking Campaign on npm

Sonatype

#SupplyChain #NPM #Lazarus #T1059.007 #T1027 #T1195 #T1105

Shares tags: NPM, Lazarus • Same author: Sonatype

2025-08-25 • 53% Match

GolangGhost - Comprehensive Threat Intelligence Report

Bloo

#Lazarus #GolangGhost #T1059.003 #T1140 #T1005 #T1070.004 #T1041 #T1113 #T1071.001 #T1115 #T1083 #T1056.001 #T1204.002 #T1566.002 #T1555.003 #T1057 #T1059.005 #T1518.001 #T1566.001 #T1547.001 #T1059.001 #T1497.001 #T1219 #T1574.002 #T1562.001 #T1622 #T1027.002 #T1573.001 #T1190 #T1123 #T1132.002 #T1564.001 #T1548.002 #T1055.012 #T1027.007 #T1217 #T1106 #T1027.009 #T1036.003 #T1055.002 #T1036.007 #T1059.010 #T1136.001 #T1134.004 #T1614.001 #T1574.007 #T1098.007 #T1010 #T1071.004 #T1021.002 #T1021.006

Shares tag: Lazarus • Published within a month

2025-08-22 • 53% Match

2025년 7월 APT 그룹 동향 보고서

Ahnlab

#Kimsuky #HappyDoor #Lazarus #ClickFix

Shares tag: Lazarus • Published within a month

2025-08-13 • 53% Match

DRATzarus - Comprehensive Threat Intelligence Report

Bloo

#DRATzarus #Lazarus #T1059.003 #T1140 #T1005 #T1041 #T1113 #T1071.001 #T1083 #T1204.002 #T1566.002 #T1555.003 #T1057 #T1547.001 #T1105 #T1027.002 #T1548.002 #T1036.003 #T1010 #T1021.002 #T1569.002 #T1543.003

Shares tag: Lazarus • Published within a month

2025-08-13 • 53% Match

APT PROFILE – LAZARUS GROUP

Cyfirma

#Lazarus #T1102.002 #T1082 #T1059.003 #T1567.002 #T1140 #T1584.004 #T1005 #T1070.004 #T1587.001 #T1041 #T1560 #T1608.001 #T1071.001 #T1046 #T1083 #T1056.001 #T1204.001 #T1036 #T1027 #T1204.002 #T1566.002 #T1566.003 #T1124 #T1057 #T1059.005 #T1583.006 #T1566.001 #T1547.001 #T1585.002 #T1053.005 #T1583.001 #T1059.001 #T1036.005 #T1132.001 #T1001.003 #T1585.001 #T1497.001 #T1105 #T1553.002 #T1620 #T1574.002 #T1562.001 #T1027.002 #T1489 #T1078 #T1008 #T1571 #T1491.001 #T1218 #T1220 #T1203 #T1189 #T1049 #T1564.001 #T1098 #T1016 #T1074.001 #T1588.002 #T1562.004 #T1591 #T1218.011 #T1583.004 #T1036.004 #T1588.003 #T1218.010 #T1593.001 #T1218.005 #T1589.002 #T1584.001 #T1070.006 #T1048.003 #T1134.002 #T1027.007 #T1021.001 #T1106 #T1090.001 #T1573 #T1070 #T1047 #T1574.013 #T1561.001 #T1036.003 #T1529 #T1055.001 #T1614.001 #T1010 #T1021.002 #T1033 #T1543.003 #T1485 #T1090.002 #T1542.003 #T1560.002 #T1012 #T1110 #T1547.009 #T1110.003 #T1534 #T1588.004 #T1104 #T1591.004 #T1561.002 #T1608.002 #T1202 #T1221 #T1557.001 #T1087.002 #T1560.003 #T1070.003 #T1021.004

Shares tag: Lazarus • Published within a month

« Back