A new report out today from software supply chain security firm Sonatype Inc. details how the infamous North Korea-backed hacking group Lazarus has intensified its cyber espionage operations by embedding sophisticated malware into open-source packages.

The report details that Sonatype detected and blocked 234 unique malicious packages tied to Lazarus between January and July this year, with more than 36,000 potential developer victims globally.

Lazarus needs little introduction to those who follow cybersecurity, since has been around for many years. Some of the group’s best-known attacks include the 2014 Sony breach and the 2017 WannaCry ransomware campaign.

Like many similar groups, Lazarus over the years has shifted tactics. Today, instead of simply attacking financial institutions directly, the group has become more sneaky by targeting developers and deployment environments. It plants malware in widely used open-source repositories such as npm and PyPI. The malicious packages from Lazarus are designed to mimic trusted libraries, often through typosquatting or combo-squatting, to trick developers into unknowingly installing backdoors into their systems.

In one example, Lazarus used a malicious vite-postcss-helper npm package that includes a multi-stage attack chain that starts with a dropper that contacts a command-and-control server to fetch an obfuscated loader. The loader deploys multiple stealthy payloads, including a clipboard stealer, a credential harvester dubbed “BeaverTail,” a broad file exfiltrator and a Windows-specific keylogger and screenshot tool. More than 90 packages were designed specifically for secrets exfiltration, indicating that the intent of the campaign is espionage and long-term infiltration rather than making money.

The Lazarus campaign leverages the trust many have with open-source packages used in modern development pipelines. Since package installations are often automated and poorly scrutinized, attackers can reach massive scale with minimal visibility, all while often remaining under the radar.

Because of the methodology — sneaking the malicious code into the open-source codebase — the malicious components can persist undetected for months inside build systems and developer machines, harvesting credentials, application programming interface tokens and source code access.

Sonatype warns that the trend reflects a broader evolution in cyberthreats: Nation-state actors are now embedding themselves directly into the software development lifecycle, rather than simply attacking potential targets directly.

The report makes a number of recommendations that SecOps and DevSecOps teams can implement to mitigate risks. They include adopting a layered defense strategy to secure the software supply chain and deploying a repository firewall to block suspicious or malicious packages before they reach build systems. Sonatype also urges security teams to monitor for unusual post-installation behavior, such as shell execution or remote script retrieval.

Image: SiliconANGLE/Reve