Lazarus Group hiding malware in GitHub and open-source packages
Targeting open source repositories increases risk of rapid spread
North Korea’s Lazarus Group is carrying out a new cyberattack campaign that targets software developers and cryptocurrency users, according to SecurityScorecard’s STRIKE Team.
The group slips “undetectable” malware into GitHub repositories and NPM packages, raising alarms about threats to the global software supply chain.
The attack, called Operation Marstech Mayhem, involves planting malicious JavaScript inside GitHub repositories under a “SuccessFriend” profile.
The group also hides malware inside NPM packages used by cryptocurrency and Web3 developers, increasing the risk of spreading malicious code through software dependencies.
The malware, named Marstech1, goes after cryptocurrency wallets such as MetaMask, Exodus and Atomic. Once inside a system, it scans for these wallets and manipulates browser configuration files to quietly intercept transactions.
This is the second time we’ve heard about cyberattacks on GitHub users in a space of two months. In January, bad actors were found to be taking advantage of the popularity of the developer platform to spread malware.
More cyberattacks expected to hit open source this year
STRIKE says the Lazarus’ malicious JavaScript codes have been active since July 2024; a year when open source malware attacks tripled.
So far, SecurityScorecard has confirmed 233 victims across the US, Europe and Asia.
This attack is part of a broader trend of increasing supply chain cyber threats. Recently, malicious Python packages disguised as legitimate DeepSeek AI libraries were removed from PyPI after extracting sensitive credentials from developers.
Security experts, per a SecurityWeek report, predict a rise in attacks on open source projects this year due to their widespread adoption. The World Economic Forum also identified supply chain interdependencies as a leading cybersecurity risk this year.