How North Korea-Backed Lazarus Group Is Weaponizing Open Source to Target Developers
Contents
How North Korea-Backed Lazarus Group Is Weaponizing Open Source to Target Developers
Nation-state cyber actors are now infiltrating the software supply chain — not by bypassing it, but by becoming part of it.
Sonatype’s latest whitepaper delivers an in-depth analysis of a rapidly escalating campaign by the North Korea-backed Lazarus Group. In just the first half of 2025, Sonatype's automated threat detection uncovered 234 unique malware packages embedded in open source registries — all attributed to Lazarus and targeting software engineers, CI/CD pipelines, and developer environments.
This campaign is not opportunistic. It is strategic.
The Lazarus Group is actively abusing developer trust and exploiting package ecosystems like npm and PyPI to distribute multi-stage malware that steals credentials, exfiltrates sensitive data, and enables long-term access to critical infrastructure.
Download this report to learn:
- The exact tactics, techniques, and procedures (TTPs) used by Lazarus to impersonate trusted packages
- How a single npm package can deploy clipboard stealers, …
Nation-state cyber actors are now infiltrating the software supply chain — not by bypassing it, but by becoming part of it.
Sonatype’s latest whitepaper delivers an in-depth analysis of a rapidly escalating campaign by the North Korea-backed Lazarus Group. In just the first half of 2025, Sonatype's automated threat detection uncovered 234 unique malware packages embedded in open source registries — all attributed to Lazarus and targeting software engineers, CI/CD pipelines, and developer environments.
This campaign is not opportunistic. It is strategic.
The Lazarus Group is actively abusing developer trust and exploiting package ecosystems like npm and PyPI to distribute multi-stage malware that steals credentials, exfiltrates sensitive data, and enables long-term access to critical infrastructure.
Download this report to learn:
- The exact tactics, techniques, and procedures (TTPs) used by Lazarus to impersonate trusted packages
- How a single npm package can deploy clipboard stealers, …