North Korean APT Hackers Compromise CI/CD Pipelines to Steal Sensitive Data

Sonatype’s automated malware detection systems have exposed a large-scale and ongoing cyber infiltration campaign orchestrated by the North Korea-backed Lazarus Group, also known as Hidden Cobra.

Between January and July 2025, Sonatype identified and blocked 234 unique malware packages attributed to this state-sponsored threat actor across popular open-source registries like npm and PyPI.

These malicious packages, often disguised as legitimate developer tools, are engineered as espionage implants with capabilities to steal sensitive data, profile compromised hosts, and establish persistent backdoors into critical infrastructure.

The campaign has already identified over 36,000 potential victims, with the number continuing to rise, marking a significant escalation in the weaponization of open-source software as a battleground for geopolitical cyber conflict.

Targets Open Source Ecosystems

The Lazarus Group, tied to North Korea’s Reconnaissance General Bureau, has a notorious history of high-profile cyberattacks over the past decade, including the 2014 Sony Pictures hack, the 2016 Bangladesh Bank heist, and the devastating 2017 WannaCry ransomware outbreak.

In 2025, they were also linked to the staggering $1.5 billion ByBit cryptocurrency theft. While their earlier operations focused on disruption, recent activities indicate a strategic pivot toward long-term infiltration and espionage.

Their latest campaign targeting open-source ecosystems showcases advanced tactics, including the use of tailored malware, modular payloads, and sophisticated infrastructure evasion techniques to maintain persistent access to high-value targets.

By embedding malicious code directly into widely used package registries, Lazarus exploits systemic vulnerabilities in the software development lifecycle, particularly within developer environments and CI/CD pipelines, which often propagate unverified dependencies automatically.

Massive Infiltration

This operation highlights the unique risks posed by open-source software as a vector for cyber espionage and credential theft.

Developers frequently install packages without adequate verification or sandboxing, leaving their environments exposed to malicious code that can linger undetected for extended periods.

Moreover, many popular open-source projects are maintained by small teams or even single individuals, making them prime targets for impersonation or compromise.

Developer systems often house sensitive credentials and tokens, which, once stolen, grant attackers access to broader organizational infrastructure.

The automated nature of CI/CD systems exacerbates the issue, as malicious dependencies can spread rapidly across build pipelines, amplifying the reach and impact of the attack.

Lazarus’s approach demonstrates a deep understanding of these weaknesses, leveraging the trust inherent in open-source communities to deliver espionage tools disguised as benign utilities.

Sonatype’s findings underscore the urgent need for organizations to adopt robust security measures to safeguard their software supply chains.

The scale of this campaign, coupled with the sophistication of Lazarus’s evolving tactics, serves as a wake-up call for the industry to prioritize dependency verification, sandboxed testing, and enhanced monitoring of open-source components.

As geopolitical actors increasingly target the software development ecosystem, protecting CI/CD pipelines and developer environments has become a critical line of defense against state-sponsored threats seeking to exploit the open-source landscape for espionage and data theft.

Find this News Interesting! Follow us on Google News, LinkedIn, and X to Get Instant Updates!