The Democratic People's Republic of Korea (DPRK), a.k.a. North Korea, has been an active cyber threat since at least 2009. The Ministry of Foreign Affairs for the Republic of Korea, a.k.a. South Korea, estimates that 90% of all DPRK cyber threat activity is attributable to the Reconnaissance General Bureau (RGB) under the General Staff Department of the Korean People's Army. One specific threat group subordinate to the RGB has been dubbed the Lazarus Group, which was reported as responsible for the 2014 attack against Sony Pictures Entertainment.

In June 2023, the Phylum Research Team discovered a series of suspicious packages published in the node package manager (npm) ecosystem. Upon installation, these packages facilitated the download of a malicious payload from a remote server to the software developer. The following month, GitHub's Director of Security Operations published their independent findings, together with Microsoft Threat Intelligence and the U.S. Cybersecurity and Infrastructure Security Agency (CISA), and confirmed that these packages were the work of the Lazarus Group. This campaign targeting software developers lasted three months.

The Lazarus Group started a new campaign in September 2023 with different and evolving tactics. Dozens of malicious packages have been published during this time and have been seen as recently as February 2024. The details in the code of these packages differ significantly, but a common motive between these two campaigns remains: stealing cryptocurrency from job-seeking software developers through social engineering.

This talk will highlight the most significant findings the Phylum Research Team has uncovered about these campaigns, including the evolution of the Lazarus Group's tactics in code and social engineering. Our goal at the end of this talk is that you will gain awareness of the sophisticated threats posed by malicious actors in open-source software ecosystems.