North Korean APT Hackers Target CI/CD Pipelines to Steal Sensitive Data

Sonatype's automated malware detection systems have uncovered a significant cyber infiltration campaign led by the North Korea-backed Lazarus Group, also known as Hidden Cobra. Between January and July 2025, Sonatype identified and blocked 234 unique malware packages linked to this state-sponsored actor across popular open-source registries like npm and PyPI.

Diagram illustrating Shuyal malware's data extraction methods — Lazarus Group's cyber infiltration tactics

These malicious packages, disguised as legitimate developer tools, are designed for espionage, capable of stealing sensitive data, profiling compromised hosts, and establishing persistent backdoors into critical infrastructure. The campaign has already identified over 36,000 potential victims, highlighting the increasing weaponization of open-source software in geopolitical cyber conflicts.

Lazarus Group's cyber infiltration tactics

Targeting Open Source Ecosystems
The Lazarus Group, associated with North Korea’s Reconnaissance General Bureau, has a history of high-profile cyberattacks, including the 2014 Sony Pictures hack and the 2017 WannaCry ransomware outbreak. Their recent focus on long-term infiltration and espionage is evident in their latest campaign targeting open-source ecosystems.

By embedding malicious code into widely used package registries, Lazarus exploits vulnerabilities in the software development lifecycle, particularly within CI/CD pipelines. Developers often install packages without proper verification, leaving their environments vulnerable to undetected malicious code.

NPAV offers a robust solution to combat cyber fraud. Protect yourself with our top-tier security product, Z Plus Security

Sharing is caring!
Share

Tweet LinkedIn