Find notable cyber news and cases, enriched with sources, timelines, and signals.

North Korea-linked Lazarus Group's ongoing open-source poisoning model

Threat Actor Meta
First reported
Last updated
Happening score
H score 38
1 unique sources, 1 articles

Summary

Hide ▲

North Korea-linked threat actors are continuing to poison open-source ecosystems with malicious packages, signaling an ongoing supply-chain operating model aimed at data theft and financial theft. The activity spans npm and PyPI and uses recruitment-themed lures to pull developers into installing trojanized dependencies. The pattern matters because it shows a state-linked group sustaining a repeatable ecosystem strategy rather than a one-off package drop.

Related Happenings

GitHub API enumeration campaign targeting corporate organizations

Campaign
H score17 First: 09.07.2026 21:38 Last: 09.07.2026 21:38 Sources 1

About this happening: A **GitHub API reconnaissance campaign** is systematically mapping **corporate organizations**, repositories, and user accounts across multiple companies, expanding the risk of fo...

Malicious npm and PyPI Paysafe, Skrill, and Neteller SDK packages delivering stealer malware

Malware Activity
H score37 First: 08.07.2026 22:54 Last: 08.07.2026 22:54 Sources 1

About this happening: Malicious **npm** and **PyPI** packages impersonating **Paysafe**, **Skrill**, and **Neteller** SDKs delivered **stealer malware** that siphoned secrets from developer environment...

North Korean Contagious Interview PolinRider supply-chain campaign

Campaign
H score51 First: 04.07.2026 14:17 Last: 04.07.2026 14:17 Sources 1

About this happening: The **Contagious Interview / PolinRider** campaign is still active, with **108 unique packages and browser extensions** published across **npm, Packagist, Go, and Google Chrome**....

Rollup polyfill npm package malware activity for remote access and data theft

Malware Activity
H score16 First: 03.07.2026 19:07 Last: 03.07.2026 19:07 Sources 1

About this happening: **Malicious npm packages** disguised as **Rollup polyfill tooling** are now delivering **remote-access and data-theft payloads** to developer workstations and build machines. The...

Mini Shai-Hulud / Miasma / Hades multi-ecosystem supply-chain malware activity

Malware Activity
H score36 First: 26.06.2026 14:05 Last: 26.06.2026 14:05 Sources 1

About this happening: The **Mini Shai-Hulud / Miasma / Hades** malware activity added **malicious npm releases**, **GitHub Actions workflow abuse**, and a related **Go module compromise**, increasing t...

Timeline

  1. 12.02.2026 18:55 2 articles · 4mo ago

    Lazarus Group graphalgo campaign disclosed

    Initial Disclosure

    Researchers disclosed a North Korea-linked Lazarus Group campaign codenamed graphalgo that uses fake recruitment lures on LinkedIn, Facebook, Reddit, and Facebook Groups to steer developers toward GitHub assessment repositories whose npm and PyPI dependencies install malicious packages. The package chain delivers a remote access trojan with token-based C2 registration, system and file enumeration, file manipulation, and upload/download capability, and the activity was assessed as active since May 2025 while also checking infected systems for the MetaMask browser extension.

    Show sources