- Lazarus was seen poisoning open source software with infostealers
- The campaign is dubbed Phantom Circuit, and targets mostly European software devs
- Multiple repositories were found poisoned with malware
The notorious North Korean hackers Lazarus have been targeting software developers, particularly those in the Web3 industry, with infostealing malware, grabbing their credentials, authentication tokens, and other valuable data, experts have warned.
Cybersecurity researchers SecurityScorecard released a report detailing the campaign, which included a software supply-chain attack and open-source poisoning.
Lazarus Group, an infamous hacking collective on North Korea’s payroll, was spotted grabbing different open source tools, poisoning them with malicious code, and then returning them to code repositories and platforms such as Gitlab.
Targeting Web3 devs
Developers would then pick up these tools by mistake, and would unknowingly get infected with malware.
The researchers named the operation Phantom Circuit, and apparently ended up compromising more than 1,500 victims. Most of them are based in Europe, with notable additions from India and Brazil.
The modified repositories apparently included Codementor, CoinProperty, Web3 E-Store, a Python-based password manager, and “other cryptocurrency-related apps, authentication packages, and web3 technologies”, citing Ryan Sherstobitoff, senior VP of research and threat intelligence at SecurityScorecard.
The researchers did not say if Lazarus used any known infostealer in this campaign, or created new code from scratch. The group is known for using a wide variety of tools in their attacks.
Lazarus often targets cryptocurrency companies. Some researchers are saying the country is engaging in crypto theft to fund its state apparatus, as well as its weapons program. The group is famous for its fake job campaign, called Operation DreamJob, in which it targets Web3 software developers with fake, lucrative job offers.
During the interview stages, the attackers would trick the candidate into downloading and running infostealers, grabbing their tokens, and those of their employers. In one such instance, Lazarus managed to steal roughly $600 million.