Close
Blog February 13, 2025

Lazarus Group Targets Developers Through NPM Packages and Supply Chain Attacks

North Korea’s Lazarus Group is evolving its tactics again. The latest campaign, dubbed Operation Marstech Mayhem, introduces an advanced implant named “Marstech1.” This malware is designed to compromise software developers and cryptocurrency wallets through manipulated open-source repositories. Unlike previous Lazarus operations, this campaign employs obfuscation techniques that make detection significantly harder.

Read the full report here.

Developers Are the Primary Target

The STRIKE team uncovered GitHub repositories associated with this attack. The attackers create fake repositories containing legitimate-looking projects embedded with obfuscated JavaScript payloads. These repositories are promoted on platforms frequented by developers, such as LinkedIn and Discord. Once a victim clones and runs the repository, the malware is executed silently in the background.

How the Malware Works

The implant, Marstech1, operates in multiple stages:

  • Stage 1: A JavaScript loader connects to a command-and-control (C2) server.
  • Stage 2: The loader downloads additional payloads based on the victim’s system configuration.
  • Stage 3: The malware exfiltrates cryptocurrency wallet data and authentication credentials.

This malware is engineered to persist within a developer’s environment, enabling continued access and further exploitation.

Obfuscation Techniques

The STRIKE team observed several techniques used to evade detection:

  • Base85 Encoding & XOR Decryption: Payloads are encoded in Base85 and decrypted using an 8-byte repeating key.
  • Control Flow Flattening: The malware rearranges execution paths to make reverse engineering difficult.
  • Self-Invoking Functions: The implant executes without relying on traditional function calls, preventing easy static analysis.
  • Anti-Debugging Features: The malware detects and avoids sandbox environments.

Lazarus Group’s Expanding Infrastructure

The STRIKE team linked this campaign to previously identified Lazarus operations. The C2 servers involved in Marstech Mayhem operate on port 3000 and lack the React-based web admin panel seen in Operation Phantom Circuit. Instead, they run Node.js Express backends, marking a shift in Lazarus’s infrastructure tactics.

Supply Chain Nightmare

Lazarus is now embedding its malware inside NPM packages, making it nearly impossible for developers to detect without thorough vetting. Organizations using open-source dependencies could unknowingly introduce malicious code into their applications. This extends the attack surface beyond individual developers to entire software ecosystems.

Cryptocurrency Theft Mechanisms

Marstech1 is configured to scan for cryptocurrency wallets such as Exodus, Atomic, and MetaMask across Windows, macOS, and Linux. It targets wallet directories, extracts private keys, and sends them to the C2 server. Additionally, the implant can modify browser configuration files to inject stealthy payloads that can intercept transactions.

STRIKE’s Attribution and Investigation

The STRIKE team traced this activity to GitHub profiles controlled by Lazarus operators. These profiles show a history of committing both legitimate and obfuscated code. The repositories used in this campaign are hosted on infrastructure linked to previous North Korean cyber operations. The profile “SuccessFriend” has been active since July 2024, frequently posting both clean and malicious software, making detection harder.

The Growing Scale of the Attack

STRIKE has confirmed 233 victims across the U.S., Europe, and Asia. Given the widespread use of open-source packages, this number is expected to rise. Developers integrating these compromised dependencies risk propagating the malware further, embedding it into projects used by millions worldwide.

Defensive Measures

To mitigate risks associated with this attack:

  • Verify Code Sources: Clone repositories only from known and verified contributors.
  • Monitor Network Traffic: Look for anomalous connections to C2 servers.
  • Use Endpoint Protection: Deploy security tools capable of detecting obfuscated scripts.
  • Audit Dependencies: Regularly check for unexpected modifications in third-party libraries.

The Urgency of Action

Marstech Mayhem represents a strategic escalation in Lazarus’s cyber operations. By targeting developers directly, the group can infiltrate projects and enterprises downstream. Organizations relying on open-source software must strengthen their security posture to prevent widespread compromise.

Read Full Report

Contact STRIKE for Assistance

The STRIKE team continues to monitor this evolving threat. If your organization suspects a compromise, contact SecurityScorecard’s STRIKE team immediately for in-depth analysis and remediation strategies.

Contact STRIKE