North Korean threat actors have distributed over 200 malicious open source packages, in an audacious new cyber-espionage campaign, according to Sonatype.
The security vendor blocked 234 unique npm and PyPI malware packages in the first half of 2025 alone, claiming they may have compromised as many as 36,000 victims.
Sonatype attributed the campaign to the notorious Lazarus Group, claiming it represents a “strategic shift” for the state-backed actors.
They apparently targeted open source in this way because developers often install packages without verification or sandboxing, CI/CD systems propagate malicious dependencies automatically and embedded malicious code can persist for lengthy periods.
Read more on open source threats: Malicious Open Source Packages Surge 188% Annually
Many of the packages detected were designed to impersonate or resemble legitimate development libraries, according to Sonatype. Once installed, they typically executed a multi-stage attack “designed to maintain stealth, achieve persistence, and exfiltrate sensitive data.”
Of the 234 malicious packages detected, 120 were droppers designed to deliver additional malware, while 90 were built for secrets exfiltration.
“This demonstrates that Lazarus is not singularly pursuing opportunistic monetization like resource hijacking for mining,” the report noted.
“Instead, they are leveraging open source to silently harvest sensitive data and pave the way for long-term access to lucrative financial information and espionage operations. The stolen credentials are not the end goal. They are the key to unlocking the kingdom – gaining access to source code repositories, cloud infrastructure, and internal networks.”
Lazarus Targets Developers
Sonatype claimed the packages were aimed at developers working in “DevOps-heavy organizations” or teams with automated CI/CD pipelines.
Targets included:
- Build pipelines, where secrets and tokens could be obtained
- Developer machines, which could enable theft of credentials and keys, or lateral movement opportunities
- Cloud-based deployments, where stolen credentials could be used to access wider infrastructure
“The potential impact of a single compromised developer machine or build agent is severe,” warned Sonatype.
“It can lead to intellectual property theft, injection of backdoors into production software, lateral movement across the corporate network, and significant reputational damage.”
The report pegged Lazarus for the operation due to command-and-control (C2) infrastructure, payload behavior and campaign timing observed from previous campaigns associated with the group.
