North Korean hackers infiltrate open-source repositories in latest espionage campaign

Global cybersecurity firm Sonatype has uncovered a widespread and sophisticated cyber espionage campaign orchestrated by North Korean state-backed hackers, primarily the notorious Lazarus Group. The attackers have been observed planting malicious code within widely used open-source software repositories, putting tens of thousands of developers and critical infrastructure at risk of surveillance and data theft.

According to Sonatype's findings, between January and July 2025, a staggering 234 malicious packages were detected and blocked across popular code repositories like npm and PyPI.

These packages, designed to mimic legitimate developer tools, were engineered to steal credentials, profile victim devices, and establish persistent backdoors. Researchers estimate the campaign may have impacted over 36,000 developers globally.

This latest operation marks a notable evolution in the tactics employed by the Lazarus Group, which has historically focused on large-scale financial theft, including a recent $1.4 billion cryptocurrency heist from the Dubai-based Bybit.

The shift towards targeting open-source ecosystems indicates a strategic move towards cyber espionage and gaining covert access to critical infrastructure for geopolitical gain.

Exploiting trust and supply chain vulnerabilities

The success of this campaign hinges on exploiting inherent weaknesses within the open-source software supply chain. Developers often rely on unvetted packages, and many popular tools lack robust oversight, frequently maintained by only one or two individuals.

The North Korean hackers leveraged these vulnerabilities through tactics such as:

Typosquatting and brand impersonation: Malicious packages were named similarly to well-known libraries or company tools, tricking developers and automated systems into downloading them.

• Multi-stage attacks: Once installed, the malicious packages deployed a range of spying tools, including clipboard stealers, keyloggers, screenshot utilities, and credential harvesters. A significant number (over 90) were built for secrets exfiltration, while more than 120 served as droppers for delivering additional malware, signaling a long-term infiltration strategy.

• Targeting DevOps and CI/CD Environments: The campaign specifically aimed at developers working in DevOps and Continuous Integration/Continuous Delivery (CI/CD) heavy environments, where compromised credentials or backdoors could grant extensive access.

Attribution and broader implications

While definitive attribution in cyber operations can be challenging, the infrastructure and tactics employed in this campaign closely mirror previous operations linked to the Lazarus Group. This reinforces the understanding that North Korea is increasingly leveraging cyber capabilities to fund its regime and advance its strategic interests, including intelligence gathering and access to sensitive information.

The exploitation of open-source repositories highlights a growing concern for the cybersecurity community. The trust embedded within the open-source community, a cornerstone of modern software development, is being actively exploited for malicious purposes.

Recommendations for developers and organizations

In light of this evolving threat, cybersecurity experts urge developers and organizations to implement stringent security practices:

• Verify package authenticity: Always verify the authenticity of open-source packages before integration, using checksums, signature verification, or by pinning package versions.

• Continuous monitoring: Implement automated tools for continuous monitoring of open-source dependencies for known and emerging vulnerabilities.

• Secure development practices: Adhere to secure coding practices and integrate security testing throughout the software development lifecycle (DevSecOps).

• Strict access controls: Enforce rigorous access controls for code repositories and CI/CD pipelines to prevent unauthorized modifications.

• Developer education: Educate developers and teams on the latest social engineering tactics and open-source security best practices.

• Minimize dependencies: Where possible, minimize the use of external dependencies to reduce the attack surface.