New Lazarus Group campaign sees North Korean hackers spreading undetectable malware through GitHub and open source packages

Image depicting a hand on a scanner
Image Credit: Pixabay (Image credit: Pixabay)

  • Security researchers discovered malicious code in NPM packages and GitHub commits
  • The code was linked to a Lazarus-operated account
  • More than 200 victims were confirmed so far

Lazarus Group, an infamous North Korean state-sponsored threat actor, is running a campaign targeting software and Web3 developers with “undetectable” malware.

Cybersecurity researchers at STRIKE from SecurityScorecard said they observed malware being embedded into GitHub repositories and NPM packages, where unsuspecting developers pick them up and integrate into their own projects.

The researchers said they saw the SuccessFriend GitHub profile, known to be linked to Lazarus, injecting JavaScript implants into GitHub repositories, where they blend in with legitimate code. To make matters worse, the profile has also committed benign code, to better hide its malicious intent.

Funding the state

The malware is being distributed inside NPM packages, STRIKE says, which are “widely used” by cryptocurrency developers and Web3 projects.

The researchers dubbed the campaign Marstech Mayhem, since the malware being deployed is named Marstech1. Once deployed on the victim endpoint, it scans systems for MetaMask, Exodus, and Atomic wallets, modifying browser configuration files to inject stealthy payloads that can intercept transactions.

With that in mind, it’s safe to say that Lazarus is still tasked with stealing cryptocurrency for the North Korean government. Earlier reports were saying that the government was using the stolen crypto to fund its state apparatus, as well as its nuclear weapons program.

So far, STRIKE managed to confirm at least 233 victims across the US, Europe, and Asia.

SecurityScorecard’s SVP of Threat Research & Intelligence, Ryan Sherstobitoff said that the Marstech1 implant comes with “layered obfuscation techniques,” from control flow flattening and dynamic variable renaming in JavaScript, to multi-stage XOR decryption in Python.

He urged organizations and developers to adopt proactive security measures, continuously monitor their supply chain activities, and integrate advanced threat intelligence solutions to mitigate the risk of sophisticated attackers such as Lazarus.

You might also like

TOPICS

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.

Read more
A concept image of someone typing on a computer. A red flashing danger sign is above the keyboard and nymbers and symbols also in glowing red surround it.
North Korean Lazarus hackers launch large-scale cyberattack by cloning open source software
North Korean flag with a hooded hacker
North Korean hackers are posing as software development recruiters to target freelancers
Hacker silhouette working on a laptop with North Korean flag on the background
North Korean Lazarus hackers are targeting nuclear workers
An abstract image of digital security.
Hundreds of GitHub repositories hijacked to trick users into downloading malware
A white padlock on a dark digital background.
Developers targeted by malicious Microsoft VSCode extensions
Pirate skull cyber attack digital technology flag cyber on on computer CPU in background. Darknet and cybercrime banner cyberattack and espionage concept illustration.
Huge cybercrime attack sees 390,000 WordPress websites hit, details stolen
Latest in Security
An American flag flying outside the US Capitol building against a blue sky
The FCC is creating a security council to bolster US defenses against cyberattacks
Image depicting hands typing on a keyboard, with phishing hooks holding files, passwords and credit cards.
Microsoft warns about a new phishing campaign impersonating Booking.com
Ransomware
Microsoft uncovers sleuthy new XCSSET MacOS malware campaign
Computer Hacked, System Error, Virus, Cyber attack, Malware Concept. Danger Symbol
Meta warns of worrying security flaw hitting open source type software
Hand holding smartphone and scan fingerprint biometric identity for unlock her mobile phone
Biometrics add another layer of security to passwordless authentication
Data leak
Hacked Tata Technologies data leaked by ransomware gang
Latest in News
Google Gemini Flash 2.0 Images
I tried Gemini's new AI image generation tool - here are 5 ways to get the best art from Google's Flash 2.0
An image of the Samsung Galaxy S25 Ultra from a hands-on event
Samsung Galaxy S26 Ultra could resurrect an intriguing camera feature
Eurocom Raptor X18
At $15,000, this massive 256GB RAM laptop makes Apple's MacBook Pro look affordable, tiny and very, very slow
Cristin Milioti in Black Mirror season 7
Netflix launches trailer for Black Mirror season 7, giving us a look at its first-ever sequel episode and an unexpected returning character
A graphic of the PC Gaming Show
Get ready for a bounty of PC games on June 8, as the PC Gaming show is back
A close up of The Daily podcast from Pocket Casts' web page
‘Podcasting shouldn’t be locked behind walled gardens’: Pocket Casts slams Spotify and makes its web player free to all