Sonatype's automated malware detection systems uncovered a massive and ongoing infiltration of open source ecosystems by the North Korea-backed Lazarus Group, exposing a chilling truth: open source software is now a central battleground in geopolitical cyber conflict.
Between January and July 2025, Sonatype blocked 234 unique malware packages traced to Lazarus across npm and PyPI. These packages mimic popular developer tools but function as espionage implants, designed to steal secrets, profile hosts, and open persistent backdoors into critical infrastructure. The campaign reveals over 36,000 potential victims — and counting. Our new whitepaper provides a full technical deep-dive into the specific malware used, the group's evolving tactics, and actionable strategies to protect your organization.
Who Is the Lazarus Group?
Lazarus, also known as Hidden Cobra, is a North Korean state-sponsored threat actor associated with the Reconnaissance General Bureau. Their activities over the past decade include the 2014 Sony Pictures hack, the 2016 Bangladesh Bank heist, and the 2017 WannaCry ransomware attack. In 2025, they were linked to the $1.5 billion ByBit cryptocurrency theft.
Lazarus has increasingly pivoted from disruption to long-term infiltration, using tailored malware, modular payloads, and infrastructure evasion techniques to achieve persistent access to high-value targets — including the open source software ecosystem.
Targeting Developers Through Open Source
The Lazarus campaign observed in the first half of 2025 represents a strategic shift: Embedding malicious code directly in open source package registries.
This method takes advantage of several systemic weaknesses:
-
Developers often install packages without verification or sandboxing.
-
CI/CD systems propagate malicious dependencies automatically.
-
Many popular open source projects are maintained by one or two individuals, making them easier to impersonate or compromise.
-
Developer environments contain sensitive credentials and tokens.
-
Malicious code, once embedded, can persist undetected for extended periods.
The open source ecosystem has become an effective delivery mechanism for espionage and credential theft.
Open Source Is the New Attack Surface — Defend It Accordingly
Sonatype customers were protected throughout the campaign. The Repository Firewall prevented malicious packages from entering development pipelines, while Lifecycle alerted teams about compromised components already present in applications.
The Lazarus campaign is a stark reminder that trust in open source is not immune to exploitation. By embedding malware into developer tools and using software pipelines as delivery channels, nation-state actors are shifting the battlefield into everyday development workflows.
What's at stake is more than code integrity — it's the foundation of digital trust. As attackers evolve, so must defenders. The open source community must harden its tooling, vet its packages, and treat software supply chain security as a first-class priority.
Download the full whitepaper here: How North Korea-Backed Lazarus Group Is Weaponizing Open Source to Target Developers
Update
In early August 2025, Sonatype security researchers identified nine additional malicious packages linked to the Lazarus Group, signaling continued activity in the npm ecosystem with a new loader implementation, previously unassociated with the APT.
These new packages demonstrate the same combosquatting tactic — impersonating trusted libraries and tools such as ESLint, Redux, and possibly Socket — to trick developers into installation. At least four of the packages are still live on npm at the time of writing: eslint-ts-view, redux-saga-inspector, redux-eslint-saga, and redux-saga-validator.
Once installed, these packages deploy a variant of the Lazarus Group's "BeaverTail" malware, a dropper and credential stealer. A malicious post-install script in the package.json file triggers the execution of 'lib/utils/index.js,' which then spawns 'lib/utils/smtp-connection/index.js' as a child-process allowing persistent execution even after the main process exits. This child script decrypts and executes an AES-encrypted payload embedded in the LICENSE file via a third script ('parse.js'), unleashing the obfuscated malware. This intricate, multi-stage loading method is a variation of Lazarus's earlier "parseLib" loaders and reflects their continued investment in stealth and persistence.
The discovery underscores the threat's technical sophistication and the strategic value attackers place on targeting open source developer ecosystems.
Written by Sonatype Security Research Team
Sonatype's Security Research Team is focused on bringing real-time, in-depth intelligence and actionable information about open source and third party vulnerabilities to Sonatype customers.
Tags
