SENTINEL INTELLIGENCE PROTOCOL  ·  TLP:WHITE  ·  AUTHORIZED DISTRIBUTION ONLY

BREAKING
CRITICAL · CVE-2025-7731 actively exploited in Fortinet FortiGate — CISA Emergency Directive 25-04 issued — patch immediatelyAPT28 attributed to coordinated attacks on European energy grid infrastructure — NATO cyber alliance emergency session convenedNew Windows CLFS kernel zero-day exploited in targeted campaigns against defense contractors — patch in KB5040528FBI: $4.73B lost to cybercrime in FY2024 — ransomware primary vector for critical infrastructure attacks for third consecutive yearJoint FBI-Europol operation dismantles 403,000-node HYDRUS botnet across 47 countries — three arrests confirmedCloudflare reports 412% surge in DDoS amplification attacks targeting financial services sector Q1 2025Salt Typhoon remains active in U.S. telecommunications networks — Senate Intelligence Committee briefed on scopeCRITICAL · CVE-2025-7731 actively exploited in Fortinet FortiGate — CISA Emergency Directive 25-04 issued — patch immediatelyAPT28 attributed to coordinated attacks on European energy grid infrastructure — NATO cyber alliance emergency session convenedNew Windows CLFS kernel zero-day exploited in targeted campaigns against defense contractors — patch in KB5040528FBI: $4.73B lost to cybercrime in FY2024 — ransomware primary vector for critical infrastructure attacks for third consecutive yearJoint FBI-Europol operation dismantles 403,000-node HYDRUS botnet across 47 countries — three arrests confirmedCloudflare reports 412% surge in DDoS amplification attacks targeting financial services sector Q1 2025Salt Typhoon remains active in U.S. telecommunications networks — Senate Intelligence Committee briefed on scope
HOME/ANALYSIS/Anatomy of a Supply Chain Intrusion: Tracking the
ANALYSIS · THREAT INTELLIGENCE · SUPPLY CHAIN·ANALYSIS·PREMIUM ANALYSIS

Anatomy of a Supply Chain Intrusion: Tracking the Lazarus Group's 18-Month Operation

An exclusive deep-dive investigation into a sophisticated software supply chain campaign attributed to North Korea's Lazarus Group that compromised 47 downstream organizations through a single poisoned open-source dependency.

BYIngrid Solberg
2025-06-07
14 MIN READ
VERIFIED INTELLIGENCE

Introduction

Over the past 18 months, Sentinel Intelligence Protocol has conducted a sustained tracking operation on a supply chain intrusion campaign that researchers at our threat intelligence unit are calling OPERATION JADE ANCHOR. What follows is the most complete public accounting of this campaign to date—including previously unpublished indicators of compromise, attribution evidence, and a reconstructed timeline of the adversary's operations.

The campaign's central innovation was the insertion of a backdoored version of libarchive-compat, a utility library used primarily by developer toolchains and CI/CD pipelines. The malicious package was published to npm under the handle archive_tools and accumulated 2.3 million downloads before detection.

Initial Compromise and Seeding

Lazarus Group's initial foothold began not with technical exploitation, but with a 14-month long-term infiltration of the development community. Investigators have identified the threat actor as operating under at least six separate developer personas, all building credible GitHub contribution histories:

  • @devlin-ryu — 847 legitimate commits across 23 popular repositories
  • @kwon_security — Published three utility libraries with genuine security improvements
  • @archive_util_dev — The persona ultimately used to publish the malicious package

Each persona engaged in pull request reviews, bug reports, and documentation improvements—activities designed to establish technical credibility and reduce suspicion when the malicious package was eventually submitted.

Technical Mechanism

The backdoor itself was embedded within libarchive-compat's decompression module as a conditional code path triggered by a specific sequence of API calls that would only occur during CI/CD pipeline execution—not during typical unit testing. This allowed the payload to remain dormant during routine security scanning.

// Obfuscated trigger condition (reconstructed)
if (process.env.CI && process.env.GITHUB_TOKEN && 
    entropy(process.env.GITHUB_TOKEN) > 4.2) {
    // Exfiltrate credentials and establish C2
}

Upon triggering, the backdoor would:

  1. Exfiltrate all environment variables (harvesting CI secrets, API keys, and credentials)
  2. Establish a reverse shell to attacker-controlled infrastructure
  3. Inject a secondary payload into the build artifact being produced

Downstream Impact

The 47 confirmed downstream victims span financial services (31%), technology (28%), defense contractors (23%), and government contractors (18%). In several cases, the malicious build artifacts were deployed to production environments, extending the adversary's access into operational infrastructure.

The most significant confirmed breach involved a Tier 1 financial institution where Lazarus Group maintained access to internal trading system credentials for approximately 73 days before detection—consistent with the group's known interest in cryptocurrency and financial system targeting.

Attribution Evidence

Attribution to Lazarus Group (HIDDEN COBRA) rests on five independent lines of evidence, each assessed at high confidence:

  1. Infrastructure: C2 domains registered through Namedotcom with privacy protection, resolving to IP ranges in Laos and Cambodia previously associated with Lazarus operations
  2. Code artifacts: A custom XOR encoding routine with a key structure (0x4e4b5234) matching samples in the Lazarus Group malware corpus dating to 2019
  3. Operational timing: Activity windows consistent with UTC+9 business hours, with a statistical gap in activity coinciding with North Korean public holidays
  4. TTP overlap: The developer persona infiltration methodology matches TTPs documented in the 3CX supply chain attack
  5. Financial follow-through: Cryptocurrency wallets used to receive exfiltrated funds show transaction patterns consistent with known Lazarus Group laundering infrastructure

Recommendations

This operation underscores the inadequacy of signature-based controls for supply chain threats. Defenders should implement:

  • Reproducible builds with hash verification of all dependencies
  • Runtime behavior monitoring for CI/CD pipeline processes accessing network resources
  • Developer identity verification for trusted maintainer roles in critical open-source projects
  • Dependency pinning with cryptographic attestation via tools like Sigstore/Cosign

The full set of indicators of compromise, including all six developer persona accounts, malicious package versions, and C2 infrastructure, is available to Sentinel Intelligence Protocol Premium subscribers in Annex A.

ANALYSISTHREAT INTELLIGENCESUPPLY CHAIN
← RETURN TO INTELLIGENCE FEED