North Korea-linked Lazarus Group's ongoing open-source poisoning model
Threat Actor Meta
Summary
Hide ▲
Show ▼
North Korea-linked threat actors are continuing to poison open-source ecosystems with malicious packages, signaling an ongoing supply-chain operating model aimed at data theft and financial theft. The activity spans npm and PyPI and uses recruitment-themed lures to pull developers into installing trojanized dependencies. The pattern matters because it shows a state-linked group sustaining a repeatable ecosystem strategy rather than a one-off package drop.
Related Happenings
GitHub API enumeration campaign targeting corporate organizations
Campaign
H score17
First: 09.07.2026 21:38
Last: 09.07.2026 21:38
Sources 1
About this happening:
A **GitHub API reconnaissance campaign** is systematically mapping **corporate organizations**, repositories, and user accounts across multiple companies, expanding the risk of fo...
GitHub API enumeration campaign targeting corporate organizations
CampaignAbout this happening: A **GitHub API reconnaissance campaign** is systematically mapping **corporate organizations**, repositories, and user accounts across multiple companies, expanding the risk of fo...
Malicious npm and PyPI Paysafe, Skrill, and Neteller SDK packages delivering stealer malware
Malware Activity
H score37
First: 08.07.2026 22:54
Last: 08.07.2026 22:54
Sources 1
About this happening:
Malicious **npm** and **PyPI** packages impersonating **Paysafe**, **Skrill**, and **Neteller** SDKs delivered **stealer malware** that siphoned secrets from developer environment...
Malicious npm and PyPI Paysafe, Skrill, and Neteller SDK packages delivering stealer malware
Malware ActivityAbout this happening: Malicious **npm** and **PyPI** packages impersonating **Paysafe**, **Skrill**, and **Neteller** SDKs delivered **stealer malware** that siphoned secrets from developer environment...
North Korean Contagious Interview PolinRider supply-chain campaign
Campaign
H score51
First: 04.07.2026 14:17
Last: 04.07.2026 14:17
Sources 1
About this happening:
The **Contagious Interview / PolinRider** campaign is still active, with **108 unique packages and browser extensions** published across **npm, Packagist, Go, and Google Chrome**....
North Korean Contagious Interview PolinRider supply-chain campaign
CampaignAbout this happening: The **Contagious Interview / PolinRider** campaign is still active, with **108 unique packages and browser extensions** published across **npm, Packagist, Go, and Google Chrome**....
Rollup polyfill npm package malware activity for remote access and data theft
Malware Activity
H score16
First: 03.07.2026 19:07
Last: 03.07.2026 19:07
Sources 1
About this happening:
**Malicious npm packages** disguised as **Rollup polyfill tooling** are now delivering **remote-access and data-theft payloads** to developer workstations and build machines. The...
Rollup polyfill npm package malware activity for remote access and data theft
Malware ActivityAbout this happening: **Malicious npm packages** disguised as **Rollup polyfill tooling** are now delivering **remote-access and data-theft payloads** to developer workstations and build machines. The...
Mini Shai-Hulud / Miasma / Hades multi-ecosystem supply-chain malware activity
Malware Activity
H score36
First: 26.06.2026 14:05
Last: 26.06.2026 14:05
Sources 1
About this happening:
The **Mini Shai-Hulud / Miasma / Hades** malware activity added **malicious npm releases**, **GitHub Actions workflow abuse**, and a related **Go module compromise**, increasing t...
Mini Shai-Hulud / Miasma / Hades multi-ecosystem supply-chain malware activity
Malware ActivityAbout this happening: The **Mini Shai-Hulud / Miasma / Hades** malware activity added **malicious npm releases**, **GitHub Actions workflow abuse**, and a related **Go module compromise**, increasing t...
Timeline
-
12.02.2026 18:55 2 articles · 4mo ago
Lazarus Group graphalgo campaign disclosed
Initial DisclosureResearchers disclosed a North Korea-linked Lazarus Group campaign codenamed graphalgo that uses fake recruitment lures on LinkedIn, Facebook, Reddit, and Facebook Groups to steer developers toward GitHub assessment repositories whose npm and PyPI dependencies install malicious packages. The package chain delivers a remote access trojan with token-based C2 registration, system and file enumeration, file manipulation, and upload/download capability, and the activity was assessed as active since May 2025 while also checking infected systems for the MetaMask browser extension.
Show sources
- Lazarus Campaign Plants Malicious Packages in npm and PyPI Ecosystems — thehackernews.com — 12.02.2026 18:55
- Lazarus Campaign Plants Malicious Packages in npm and PyPI Ecosystems — thehackernews.com — 12.02.2026 18:55