Full Report
In its latest operation, Lazarus took advantage of major gaps in the open-source software supply chain — like developers depending on unvetted packages and the lack of oversight for popular tools that are often maintained by just one or two people.
Analysis Summary
# Threat Actor: Lazarus Group
## Attribution & Identity
Attributed to North Korean state-backed hackers. Associated with world's largest cryptocurrency heists.
## Activity Summary
Lazarus is conducting an ongoing campaign involving planting malicious code in open-source software repositories (npm and PyPI). Between January and July, 234 malicious packages were blocked, potentially impacting over 36,000 developers. This campaign represents an evolution from their historical focus on financial theft toward espionage and covert access to critical infrastructure. The actors exploited supply chain gaps by using unvetted packages.
## Tactics, Techniques & Procedures
- Uploading malicious packages to open-source repositories (npm, PyPI).
- Utilizing **typosquatting** and **brand impersonation** to mimic legitimate developer tools/libraries.
- Deploying spying tools upon installation, including:
- Clipboard stealer
- Keylogger
- Screenshot utility
- Credential harvester
- Utilizing over 120 packages as droppers for broader malware delivery, indicating a strategy for long-term network infiltration and persistence.
- Over 90 packages were specifically built to steal secrets and credentials.
## Targeting
- Sectors: Developers, DevOps, and CI/CD-heavy environments. Open-Source Ecosystems.
- Geography: Global (Implied, targeting global repositories).
- Victims: Tens of thousands of developers who downloaded the malicious packages.
## Tools & Infrastructure
- Malware families used: Clipboard stealer, Keylogger, Screenshot utility, Credential harvester.
- Infrastructure: The article mentions 234 malicious packages were identified in npm and PyPI. Specific C2s or IPs were not detailed but the method relies on compromised/impersonated repository submissions.
## Implications
Lazarus Group is actively transforming open-source ecosystems into sophisticated delivery mechanisms for cyberespionage. This exploitation of inherent trust within the developer community poses a significant risk for global geopolitical gain, moving beyond pure financial motivation to establishing persistent access within organizations relying on these dependencies.
## Mitigations
- Increased vigilance and oversight for unvetted or newly published packages within development pipelines.
- Scrutinizing package names for typosquatting and brand impersonation attempts.
- Implementing security measures focused on detecting credential theft and long-term persistence (e.g., monitoring for keyloggers and screenshot utilities).