Fact Checked by 
Researchers have reportedly discovered a highly advanced operation from North Korea that’s sneaking crypto-stealing malware into open-source software. The stealthy campaign is designed to spread malware, putting unsuspecting users at risk.
In a blog post published on Thursday (Feb. 13), STRIKE analysts from SecurityScorecard said that North Korea’s Lazarus Group was spreading “undetectable” malicious code through GitHub and NPM packages via Operation Marstech Mayhem. The team also added on X: “Developers are unknowingly pulling infected repositories into their projects, putting crypto wallets and software supply chains at risk.”
🚨 North Korea’s @Lazarus Group is Targeting Developers—Again 🚨
The STRIKE team just uncovered Operation Marstech Mayhem—a new malware campaign spreading through @GitHub and NPM packages. Developers are unknowingly pulling infected repositories into their projects, putting… pic.twitter.com/1Cic14u1NP— SecurityScorecard (@security_score) February 13, 2025
STRIKE found that the group had engineered an advanced implant, codenamed “marstech1.” They wrote: “This state-of-the-art tool marks a significant evolution from earlier iterations deployed in global campaigns against developers, featuring unique functional enhancements that distinctly set it apart.”
How does North Korea’s Lazarus Group target crypto developers?
According to cybersecurity researchers, the SuccessFriend GitHub profile linked to the infamous Lazarus Group has been injecting JavaScript implants into repositories, blending them with legitimate code. To make things even trickier, the profile has also committed harmless code, making it even harder to spot its hostile intent.
This JavaScript implant is specifically targeting Exodus and Atomic cryptocurrency wallets on Linux, macOS, and Windows. Once installed, the North Korean threat actor scans the system for crypto wallets, attempting to read file contents or extract metadata to steal sensitive information.
So far, STRIKE confirmed 233 victims have been affected across the US, Europe, and Asia. Cited by The Register, Ryan Sherstobitoff, SecurityScorecard’s SVP of threat research and intelligence, said: “The introduction of the Marstech1 implant, with its layered obfuscation techniques – from control flow flattening and dynamic variable renaming in JavaScript to multi-stage XOR decryption in Python – underscores the threat actor’s sophisticated approach to avoiding both static and dynamic analysis.”
ReadWrite has previously covered the group’s activities. In September, the FBI issued an advisory warning that North Korea has been aggressively targeting cryptocurrency businesses and companies, in a bid to potentially fund its national ambitions, including missile and nuclear weapons development.
Sherstobitoff stressed the importance of staying ahead of these threats, urging organizations and developers to take proactive security measures. He added that organizations needed to “continuously monitor supply chain activities, and integrate advanced threat intelligence solutions to mitigate the risk.”
Featured image: Canva
