Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

North Korea-linked Lazarus Group's ongoing open-source poisoning model

Threat Actor Meta
First reported
Last updated
Happening score
H score 43
1 unique sources, 1 articles

Summary

Hide ▲

North Korea-linked threat actors are continuing to poison open-source ecosystems with malicious packages, signaling an ongoing supply-chain operating model aimed at data theft and financial theft. The activity spans npm and PyPI and uses recruitment-themed lures to pull developers into installing trojanized dependencies. The pattern matters because it shows a state-linked group sustaining a repeatable ecosystem strategy rather than a one-off package drop.

Related Happenings

Malware-Slop malicious npm file-theft campaign

Campaign
First: 27.05.2026 18:44 Last: 27.05.2026 18:44 Sources 1

About this happening: The **Malware-Slop** campaign is distributing a malicious **npm** package that steals local files from installers, creating an unauthorized data-transfer risk for users of **Anthr...

Open Happening

GlassWorm supply-chain malware activity

Malware Activity
First: 27.05.2026 14:48 Last: 27.05.2026 14:48 Sources 1

About this happening: The **GlassWorm** malware activity is now under a coordinated **C2 disruption**, reducing its ability to deliver new instructions and payloads to infected developer systems. The o...

Open Happening

TrapDoor cross-ecosystem supply-chain campaign

Campaign
First: 25.05.2026 08:59 Last: 25.05.2026 08:59 Sources 1

About this happening: The **TrapDoor** supply-chain campaign has expanded across **npm, PyPI, and Crates.io**, using **34+ malicious packages** to steal developer secrets and credentials. The operation...

Open Happening

TeamPCP supply-chain ecosystem shift and extortion partnerships

Threat Actor Meta
First: 22.05.2026 14:55 Last: 22.05.2026 14:55 Sources 1

About this happening: **TeamPCP** has expanded its supply-chain abuse model across open-source ecosystems, raising the risk of downstream compromise and extortion at scale. The group has **corrupted hu...

Open Happening

TeamPCP opens its offensive framework to copycat supply-chain attackers

Threat Actor Meta
First: 19.05.2026 07:54 Last: 19.05.2026 07:54 Sources 1

About this happening: **TeamPCP** has started distributing its **offensive framework source code**, turning a single supply-chain operation into reusable tradecraft that other threat actors can adopt....

Open Happening

Timeline

  1. 12.02.2026 18:55 2 articles · 3mo ago

    Lazarus Group graphalgo campaign disclosed

    Initial Disclosure

    Researchers disclosed a North Korea-linked Lazarus Group campaign codenamed graphalgo that uses fake recruitment lures on LinkedIn, Facebook, Reddit, and Facebook Groups to steer developers toward GitHub assessment repositories whose npm and PyPI dependencies install malicious packages. The package chain delivers a remote access trojan with token-based C2 registration, system and file enumeration, file manipulation, and upload/download capability, and the activity was assessed as active since May 2025 while also checking infected systems for the MetaMask browser extension.

    Show sources
    Open in new tab