Lazarus Group’s Covert Supply Chain Attack: North Korean APT Poisons Open Source to Steal Developer Secrets

In the first half of 2025, Sonatype uncovered a large-scale, ongoing assault on the open-source software ecosystem, orchestrated by the North Korean threat actor known as Lazarus. Sonatype’s automated malware detection systems were the first to identify this campaign, which involved adversaries disguising malicious libraries as popular developer tools. These components were not designed for overt sabotage, but rather for stealthy cyber-espionage—harvesting confidential data, mapping infrastructure, and establishing covert access channels within compromised environments.

The attack simultaneously targeted two of the largest open-source package repositories—npm and PyPI. From January through July, Sonatype specialists successfully blocked 234 unique malicious modules, all linked to Lazarus. Though these libraries appeared innocuous—masquerading as utilities or dependencies for widely used frameworks—they concealed features for persistent surveillance and covert exfiltration of sensitive information. The campaign may have impacted at least 36,000 users, a number likely to grow due to the inherent nature of malware propagation within CI/CD pipelines.

Lazarus—also known as Hidden Cobra—operates under the command of North Korea’s General Reconnaissance Bureau. Over the past decade, the group has been behind a string of high-profile cyberattacks: the 2014 Sony Pictures hack, the $81 million theft from Bangladesh’s Central Bank in 2016, and the 2017 WannaCry ransomware outbreak. In 2025, Lazarus was also attributed with a $1.5 billion cryptocurrency heist from the ByBit platform. These recent operations reflect a strategic shift—from overtly destructive campaigns to covert, long-term infiltration of high-value systems, especially those built on open-source foundations.

Open source has proven to be the ideal entry point. Developers across the globe routinely install packages without rigorous scrutiny, and most CI/CD environments automatically integrate dependencies. Few, if any, manually inspect the source code of every imported library. Many popular projects are maintained by just one or two enthusiasts—easily impersonated or compromised. These development environments often store sensitive tokens and access keys, making them fertile ground for undetected malware that can persist for years.

This very combination—trust in open source, automation of development pipelines, and a lack of rigorous inspection—has turned the ecosystem into a potent vehicle for delivering surveillance tools. Lazarus exploits this systemic trust, injecting malicious code at every phase of the development cycle. A single compromised package in a repository can rapidly spread across dozens of projects, embedding itself in software powering vital services, from cloud platforms and IoT deployments to internal enterprise systems.

Fortunately, Sonatype clients were shielded by the Repository Firewall, which intercepted malicious dependencies before they entered the build pipeline. Meanwhile, the Lifecycle platform alerted development teams to vulnerable components already in use. This form of automated defense has proven highly effective—but the incident underscored just how fragile the foundation of digital trust remains when developers treat the open-source landscape as inherently secure.

This is no longer merely a matter of code integrity. At stake is the security of the entire software supply chain—and the critical systems that depend upon it. Lazarus has demonstrated that the new battleground lies not in data centers, but in development environments. The software community must now rethink its approach: enforcing stricter package verification, mandating dependency audits, isolating suspicious libraries, and embracing security as a core pillar of the software lifecycle.