Skip Navigation

How North Korea-Backed Lazarus Group Is Weaponizing Open Source to Target Developers

Nation-state cyber actors are now infiltrating the software supply chain — not by bypassing it, but by becoming part of it.

How North Korea-Backed Lazarus Group Is Weaponizing Open Source to Target Developers

Sonatype’s latest whitepaper delivers an in-depth analysis of a rapidly escalating campaign by the North Korea-backed Lazarus Group. In just the first half of 2025, Sonatype's automated threat detection uncovered 234 unique malware packages embedded in open source registries — all attributed to Lazarus and targeting software engineers, CI/CD pipelines, and developer environments.

This campaign is not opportunistic. It is strategic.

The Lazarus Group is actively abusing developer trust and exploiting package ecosystems like npm and PyPI to distribute multi-stage malware that steals credentials, exfiltrates sensitive data, and enables long-term access to critical infrastructure.

Download this report to learn:

  • The exact tactics, techniques, and procedures (TTPs) used by Lazarus to impersonate trusted packages
  • How a single npm package can deploy clipboard stealers, credential harvesters, file stealers, and Windows keyloggers — all in parallel
  • Why Lazarus is exfiltrating secrets rather than mining crypto — and what that says about their evolving goals
  • The broader strategic shift that makes developers a primary target in nation-state campaigns
  • Four key recommendations to protect your SDLC and development teams from future supply chain attacks