A New Supply Chain Attack by Lazarus
Cybersecurity researchers have uncovered a highly sophisticated campaign by the North Korean state-sponsored Lazarus Group. Dubbed Phantom Circuit, this operation involves cloning legitimate software projects, injecting them with malicious backdoors, and redistributing them to developers worldwide.
The goal? To infiltrate corporate environments, steal sensitive data, and establish persistent access to compromised systems.
Who’s at Risk?
The following popular software projects were found to be replicated and modified with embedded malware:
- Codementor – A developer learning platform.
- CoinProperty – A cryptocurrency asset management tool.
- Web3 E-Store – A decentralized online store framework.
- Python-based Password Manager – A widely used security utility.
- Various authentication libraries – Integrated into multiple applications.
- Web3 development tools – Critical for blockchain-based software projects.
How the Attack Works
- Lazarus clones legitimate software repositories and uploads them to GitLab with subtle modifications.
- A malicious backdoor is embedded into the code, primarily within Node.js libraries.
- Developers download and integrate the infected code into corporate environments, unknowingly introducing a security vulnerability.
- Once executed, the malware exfiltrates sensitive company data to North Korean command-and-control (C2) servers.
How Phantom Circuit Compromises Systems
Malicious Code Injection into Open-Source Projects
Lazarus strategically places customized backdoors inside widely used developer tools and authentication libraries. The malware is designed to:
- Steal credentials used in cloud and DevOps environments.
- Exfiltrate cryptographic keys from cryptocurrency applications.
- Log keystrokes and user actions from compromised machines.
Targeting Web3 and Crypto Infrastructure
Many of the affected tools are Web3-related, indicating an ongoing focus on cryptocurrency and decentralized finance (DeFi)—a long-standing Lazarus priority. By compromising Web3 development tools, Lazarus can hijack wallets, manipulate transactions, and steal blockchain assets.
Supply Chain Attack via GitLab
By hosting infected repositories on GitLab, Lazarus effectively turns trusted development tools into cyber weapons, exploiting developers as entry points into larger organizations.
Advanced Evasion Techniques
- Code obfuscation and modular payloads to avoid detection.
- Multi-stage infection chain – Some tools only activate malware after specific user actions, making detection harder.
- Encrypted communication with C2 servers, preventing traditional network monitoring tools from flagging anomalies.
The Growing Threat to Software Supply Chains
Lazarus Group’s Phantom Circuit attack is yet another supply chain compromise, a method increasingly favored by nation-state actors. These attacks bypass traditional security defenses, infecting entire software ecosystems instead of targeting individual users.
Key Recommendations for Developers and Organizations
- Verify the authenticity of open-source software repositories before downloading.
- Conduct static and dynamic code analysis on third-party libraries before integration.
- Implement runtime behavior monitoring to detect unauthorized data exfiltration.
- Use cryptographic code signing to ensure software integrity.
- Segment development environments to prevent lateral movement if a tool is compromised.
Ongoing Threat: Lazarus Remains Active
The Phantom Circuit campaign is still ongoing, posing a significant risk to technology companies worldwide. Developers who have downloaded any of the affected repositories are strongly advised to review their systems for indicators of compromise (IOCs).
Lazarus Group has a long history of targeting financial institutions, cryptocurrency exchanges, and critical infrastructure, making it one of the most dangerous state-backed cyber adversaries today.
