Report: Lazarus Group Exploits Github, NPM Packages in Cryptocurrency Malware Campaign

A state-aligned cyber collective from North Korea has compromised Github repositories and NPM modules with stealthy malicious code to pilfer digital currencies, per a Securityscorecard STRIKE Team analysis.

Security Researchers Warn of Rising Open-Source Malware Attacks Linked to Lazarus Group

As detailed by a Computing.co.uk report, the Lazarus Group injected harmful Javascript into Github projects under the pseudonym “Successfriend,” while subverting NPM tools relied on by blockchain engineers. Codenamed “Operation Marstech Mayhem,” the initiative exploits weaknesses in software supply chains to disseminate the Marstech1 malware, designed to infiltrate wallets such as Metamask, Exodus, and Atomic.

Marstech1 combs infected devices for cryptocurrency wallets, then manipulates browser settings to clandestinely redirect transactions. By disguising itself as benign system activity, the code evades security scans, allowing persistent data extraction. Computing.co.uk says this represents 2025’s second significant Github-based breach, mirroring January 2025 incidents where attackers weaponized the platform’s reach to propagate malicious software.

The report further notes that Securityscorecard verified 233 compromised entities spanning the U.S., Europe, and Asia, with Lazarus-linked scripts operational since July 2024—a year witnessing a threefold jump in open-source malware incidents. Parallel strategies emerged in January 2025, when counterfeit Python libraries masquerading as Deepseek AI utilities were purged from PyPI for harvesting developer logins.

Analysts caution that such incursions may proliferate significantly in 2025, fueled by open-source ubiquity and intertwined development pipelines. Computing.co.uk explains that a Security Week article referenced the World Economic Forum’s (WEF) recent classification of supply chain vulnerabilities as a premier cybersecurity threat.

Lazarus’ newest endeavor epitomizes the advanced tactics of government-sponsored digital espionage aimed at vital tech frameworks. Computing.co.uk notes global entities are advised to scrutinize third-party code integrations and fortify review mechanisms to counter these threats.