North Korean hackers target open-source repositories in new espionage campaign

North Korean state-backed hackers have planted malicious code in open-source software repositories as part of an ongoing campaign that has already put tens of thousands of developers at risk of surveillance and data theft, according to new research.

Between January and July, cybersecurity firm Sonatype said it blocked 234 malicious packages uploaded to the widely used npm and PyPI code repositories and linked to the campaign. The packages, which impersonated legitimate developer tools, were designed to steal credentials, profile victims’ devices and plant backdoors. The researchers estimate the campaign may have impacted more than 36,000 developers.

In its latest operation, Lazarus took advantage of major gaps in the open-source software supply chain — like developers depending on unvetted packages and the lack of oversight for popular tools that are often maintained by just one or two people. Many of the malicious packages used typosquatting and brand impersonation tactics, mimicking well-known libraries or company tools to fool developers and automated systems into downloading them.

Once installed, the malicious packages deploy a range of spying tools — including a clipboard stealer, keylogger, screenshot utility and credential harvester. More than 90 of the packages were built to steal secrets and credentials, while over 120 served as droppers to deliver additional malware, suggesting a broader strategy focused on long-term network infiltration and persistence, rather than quick financial gain, researchers said.

The campaign reflects an evolution in tactics by Lazarus, a North Korean state-backed hacking group that has been linked to the world’s largest cryptocurrency heists, including a $1.4 billion theft from Dubai-based Bybit earlier this year. While historically focused on financial theft, Lazarus has shifted its operations toward espionage and covert access to critical infrastructure, Sonatype said.

The latest operation appears to have specifically targeted developers in DevOps and CI/CD-heavy environments. Although attribution in cyber operations is often inconclusive, researchers said the infrastructure and tactics closely mirror previous Lazarus-linked campaigns.

Malicious actors are increasingly exploiting open-source repositories for financial gain or espionage. In July, hackers compromised a popular npm package by phishing its maintainer via a fake login page, allowing them to publish a backdoored version of code used in millions of projects. Around the same time, PyPI warned users about a separate phishing campaign using a spoofed website to harvest developer credentials. The campaigns have not been attributed to any specific threat actor.

“Lazarus is turning open source ecosystems into sophisticated delivery mechanisms for cyberespionage,” Sonatype said about the latest campaign, adding that such attacks are “a clear signal that the trust inherent in the open source community is being actively exploited for geopolitical gain.”