Lazarus Group’s Covert Supply Chain Attack: North Korean APT Poisons Open Source to Steal Developer Secrets

In a recently expose, Sonatype reveals a covert cyberespionage campaign orchestrated by the North Korea-linked Lazarus Group, targeting developers through poisoned open source packages. This campaign, unfolding throughout 2025, is a sophisticated operation aimed at silently exfiltrating secrets from CI/CD pipelines and developer environments.

“Since January 2025 alone, Sonatype’s automated malware detection systems uncovered and blocked 234 unique open source malware packages that can be attributed to the North Korea-backed Lazarus Group,” the report states.

Sonatype’s report underscores a reality: open source is no longer just an enabler of innovation—it’s now a weaponized vector for state-sponsored espionage.

“This campaign continues a disturbing trend: adversaries are increasingly embedding themselves within the software development life cycle (SDLC), leveraging developer trust, open source norms, and registry openness to deliver malicious payloads at scale.”

The Lazarus Group, already infamous for the Sony hack, Bangladesh Bank heist, and WannaCry ransomware, has now pivoted its focus toward weaponizing the trust developers place in tools from npm and PyPI.

Sonatype’s findings highlight tactics such as combo-squatting, brand-jacking, and typosquatting—techniques that disguise malicious packages to look like legitimate dependencies:

• npm:winston-compose – spoofing the popular Winston logging library.
• npm:nodemailer-helper – mimicking Nodemailer, an SMTP library.
• pypi:pycryptoconf – impersonating the trusted pycrypto package.

“These mimicry tactics exploit typos, visual confusion, or ‘lookalike’ names… which remain highly effective against unsuspecting developers and automated build pipelines.”

The malware isn’t simple. It operates in three calculated stages:

1. Initial Dropper – A seemingly benign package fetches the next stage from a command-and-control (C2) server.
2. Obfuscated Loader – A heavily encoded script executes system checks to detect sandbox environments.
3. Payload Execution – A suite of modular malware is unleashed, including:
   • Clipboard stealer and remote shell
   • BeaverTail credential stealer (targeting browsers and crypto wallets)
   • File stealer (searching for secrets, mnemonics, API tokens)
   • Windows keylogger and screenshot tool

“The Lazarus Group doesn’t deploy a single, monolithic malicious file; instead, the loader spawns multiple, independent payloads as separate Node.js processes,” Sonatype explains.

Unlike opportunistic malware designed to mine cryptocurrency, Lazarus is laser-focused on secrets exfiltration.

“There were zero indications of cryptomining-related behavior… they are leveraging open source to silently harvest sensitive data and pave the way for long-term access to lucrative financial information and espionage operations.”

These secrets—environment variables, API tokens, SSH keys—serve as golden keys to access internal source code, cloud platforms, and enterprise networks.

One illustrative example is vite-postcss-helper, an npm package that:

• Contacts a C2 server on install
• Deploys a loader that checks for virtual machines
• Spawns multiple payloads for exfiltration and surveillance

“A clipboard stealer… a credential harvester named BeaverTail… a file hunter… and a keylogger with screenshot functionality,” the report warns.

Sonatype estimates over 36,000 potential victims. The campaign targets:

• Build pipelines (CI/CD)
• Developer machines
• Cloud infrastructure via stolen credentials

“These packages share C2 infrastructure, payload behavior, and campaign timing with previous Lazarus operations,” aligning with findings from CISA, Microsoft, and Kaspersky.

Sonatype emphasizes a multi-layered defense:

• Repository Firewall – Block malware before it reaches the build system.
• Dependency Audits – Scan regularly with SBOMs (Software Bill of Materials).
• Governance – Avoid packages with unclear provenance.
• Centralized Repos – Only allow vetted packages internally.

“Lazarus is not mining cryptocurrency. They’re mining trust,” Sonatype concludes.

Related Posts:

• Sonatype Nexus Repository 2 Hit By RCE (CVE-2024-5082) and XSS (CVE-2024-5083) Flaws
• Software Supply Chains Threatened: Nexus Repository CVE-2024-4956 Flaw Exposed
• Temptation from Money: Lazarus APT extended to cryptocurrencies
• Critical CI/CD Cache Poisoning Threatens Supply Chain: Undetectable Code Injection Possible!