How North Korea-Backed Lazarus Group Is Weaponizing Open Source to Target Developers
Nation-state cyber actors are now infiltrating the software supply chain — not by bypassing it, but by becoming part of it.

Sonatype’s latest whitepaper delivers an in-depth analysis of a rapidly escalating campaign by the North Korea-backed Lazarus Group. In just the first half of 2025, Sonatype's automated threat detection uncovered 234 unique malware packages embedded in open source registries — all attributed to Lazarus and targeting software engineers, CI/CD pipelines, and developer environments.
This campaign is not opportunistic. It is strategic.
The Lazarus Group is actively abusing developer trust and exploiting package ecosystems like npm and PyPI to distribute multi-stage malware that steals credentials, exfiltrates sensitive data, and enables long-term access to critical infrastructure.
Download this report to learn:
- The exact tactics, techniques, and procedures (TTPs) used by Lazarus to impersonate trusted packages
- How a single npm package can deploy clipboard stealers, credential harvesters, file stealers, and Windows keyloggers — all in parallel
- Why Lazarus is exfiltrating secrets rather than mining crypto — and what that says about their evolving goals
- The broader strategic shift that makes developers a primary target in nation-state campaigns
- Four key recommendations to protect your SDLC and development teams from future supply chain attacks
SONATYPE IS TRUSTED BY













