Lazarus Hackers Exploit 234 Packages on npm and PyPI to Compromise Developers

A sophisticated cyber espionage campaign has infiltrated two of the world’s largest open source package repositories, with North Korea’s notorious Lazarus Group successfully deploying 234 malicious packages across npm and PyPI ecosystems. Between January and July 2025, this state-sponsored operation exposed over 36,000 potential victims to advanced malware designed for long-term surveillance and credential theft. The malicious packages masqueraded as legitimate developer tools, exploiting the inherent trust developers place in open source ecosystems. These weaponised components functioned as espionage implants, engineered to steal sensitive secrets, profile target hosts, and establish persistent backdoors into critical infrastructure systems. This campaign represents a strategic evolution in nation-state cyber warfare, transforming everyday development workflows into attack vectors. Analysts from Sonatype identified the threat actor as the Lazarus Group, also known as Hidden Cobra, a North Korean state-sponsored collective associated with the Reconnaissance General Bureau.

The Lazarus Group’s decade-long criminal portfolio includes high-profile attacks such as the 2014 Sony Pictures breach, the 2016 Bangladesh Bank heist, and the devastating 2017 WannaCry ransomware outbreak. Most recently, they orchestrated the $1.5 billion ByBit cryptocurrency theft in 2025. Their attack methodology leveraged several critical vulnerabilities within open source ecosystems. Developers routinely install packages without comprehensive verification or sandboxing protocols, while automated CI/CD systems propagate malicious dependencies throughout development pipelines without human oversight. The decentralised nature of many popular projects, often maintained by just one or two individuals, creates opportunities for impersonation and compromise. The Lazarus Group employed sophisticated persistence tactics centred on modular payload delivery and infrastructure evasion techniques. Their malware utilised a multi-stage infection process, where initial package installation triggered dormant code that would activate during subsequent development activities.