Between January and July 2025, the company’s automated detection systems blocked 234 unique malicious packages across npm and PyPI repositories, exposing over 36,000 potential victims to espionage activities.
The campaign represents a significant tactical evolution for Lazarus, also known as Hidden Cobra, moving from disruptive attacks to long-term infiltration strategies.
The group, associated with North Korea’s Reconnaissance General Bureau, has previously orchestrated high-profile cyber operations including the 2014 Sony Pictures breach, the 2016 Bangladesh Bank heist, and the 2017 WannaCry ransomware attack.
Most recently, they were linked to a $1.5 billion cryptocurrency theft from ByBit in 2025.
The malicious packages discovered by Sonatype are designed to mimic popular developer tools while functioning as sophisticated espionage implants.
These packages are engineered to steal sensitive credentials, profile host systems, and establish persistent backdoors into target networks.
The attack method exploits several systemic vulnerabilities in the open source ecosystem, including developers’ tendency to install packages without thorough verification, automatic propagation through CI/CD systems, and the concentration of maintenance responsibility among a few individuals in popular projects.
The Lazarus campaign demonstrates advanced technical capabilities, utilizing modular payloads and infrastructure evasion techniques to maintain persistent access to high-value targets.
The malicious code is embedded directly within package repositories, taking advantage of the trust-based nature of open-source software distribution.
Once installed, the malware can remain undetected for extended periods while collecting sensitive information from developer environments, which typically contain valuable credentials and access tokens.
The attack vector is particularly concerning because it exploits the software supply chain at its foundation.
Developer environments serve as gateways to broader organizational networks, making them attractive targets for nation-state actors seeking long-term access to critical infrastructure and sensitive data.
Sonatype customers remained protected throughout the campaign through the company’s Repository Firewall, which prevented malicious packages from entering development pipelines, and Lifecycle security solutions that alerted teams about compromised components in existing applications.
The discovery highlights the urgent need for enhanced security measures in open-source ecosystems, as nation-state actors increasingly view software supply chains as strategic attack vectors.
The campaign underscores how digital trust foundations are under assault, requiring the open-source community to prioritize supply chain security and implement more rigorous package vetting processes.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates
The post Lazarus Hackers Use 234 Weaponized npm and PyPI Packages to Target Developers appeared first on Cyber Security News.
The post NEP Unveils Modernized EU-03 OB Unit appeared first on TV News Check.
Audinate, the creator of the Dante audio networking platform, today introduced Dante Director Professional, a…
Net Insight’s Nimbra Edge and the Nimbra 400 series are now included in YouTube’s Live verified…
Project Hail Mary co-director Christopher Miller has moved to clarify recent comments in which he…
Highguard, the free-to-play PvP raid shooter announced at The Game Awards last year and set…
This article contains spoilers for Resident Evil Requiem.Resident Evil Requiem is now in our hands…
This website uses cookies.