North Korea-Linked Lazarus Group Deploys Malicious Packages in Targeted Campaign
- Feb 17
- 1 min read

Cybersecurity researchers have identified a sustained malware distribution campaign, active since at least May 2025, that leverages open-source software repositories to compromise developer systems.
The operation, attributed to the North Korean state-linked Lazarus Group, uses malicious packages published to the npm and Python Package Index (PyPI) ecosystems as the primary distribution vector.
Threat actors have combined software supply-chain compromise with social engineering. Prospective victims are contacted via professional networks and online forums with fabricated job opportunities in sectors such as blockchain and cryptocurrency.
These communications often direct developers to GitHub repositories that appear legitimate. When candidates build and run the associated projects, malicious dependencies from npm or PyPI are installed, enabling infection.
Once executed, the embedded payload deploys a remote access trojan (RAT) capable of communicating with external command servers, gathering system information, managing files, and executing arbitrary commands. Communications with the command-and-control infrastructure incorporate a token-based mechanism to authenticate infected hosts, a technique previously observed in similar state-linked campaigns.
Security analysts warn that this campaign underscores the evolving threat posed by sophisticated adversaries in open-source ecosystems. Organizations and developers are advised to enforce strict supply-chain security measures, validate third-party components, and maintain heightened vigilance against unsolicited technical recruitment efforts.




Comments