Labyrinth Chollima and Open Source Targeting

The intersection between nation-state threat actors and the npm/PyPI ecosystem used to be a thing researchers speculated about. By 2024 it is operational reality, and Labyrinth Chollima — a DPRK-linked group tracked under several names (Lazarus Group subcluster, sometimes overlap with the broader Chollima umbrella) — has made open source package poisoning a signature technique. Campaigns attributed to or associated with this group have hit npm, PyPI, and Hugging Face over the last 18 months. The tradecraft is more sophisticated than the early typosquatting pattern and the defensive response requires more than automated SCA scanning.

The tradecraft pattern

Three recurring elements:

Targeted developer victim selection. Labyrinth Chollima activity has repeatedly targeted developers at specific companies rather than spraying across the ecosystem. Job-posting lures, LinkedIn outreach, fake recruiter profiles, technical interviews that deliver malware through "coding challenges" — all point toward specific organisational targets.

Credential harvesting via malicious packages. Once a developer is lured into downloading or installing an attacker-chosen package, the payload harvests credentials (keychain contents, AWS credentials, GitHub tokens) and exfiltrates them. This provides persistent access to the victim's environment.

Legitimate-looking package distribution. The malicious packages often look plausible — reasonable names, realistic descriptions, sometimes cloned from legitimate projects with added payloads. The sophistication has increased over time.

The 2024 Contagious Interview pattern

The campaign tracked as "Contagious Interview" (CrowdStrike) and "DEV#POPPER" (Securonix) through 2024 used a specific workflow:

1. Attacker poses as a recruiter contacting developer targets via LinkedIn.
2. Developer invited to a technical interview with a coding challenge.
3. Challenge includes a "test environment" repository with malicious npm dependencies or direct malicious code.
4. Upon npm install or running the test code, credential-harvesting payload executes.
5. Harvested credentials exfiltrated to C2 infrastructure.

This pattern has been observed repeatedly. The developer-victim targeting shifts from opportunistic to specifically-chosen individuals at high-value target organisations.

Package hosting infrastructure

Labyrinth Chollima-associated packages have been found on:

• npm — dozens of packages disclosed and taken down across 2023–2024. Names span typosquatted legitimate packages and novel malicious names.
• PyPI — similar volume; PyPI's 2FA enforcement has raised the bar for credential-phishing path but not eliminated package-poisoning.
• Hugging Face — machine learning model repositories have been a newer target vector.

The packages are typically taken down within hours to days of discovery, but the initial exploitation window is enough to compromise some targets.

Attribution caveats

Attribution of open-source-ecosystem attacks to specific threat actors is harder than attribution for endpoint malware. Indicators overlap, operational security varies, and the same tactics are used by multiple groups including non-state actors. The "Labyrinth Chollima" label reflects consensus from several major threat intelligence providers but should be read with the usual attribution-uncertainty caveats.

What is less uncertain: DPRK-linked activity targeting software developers via open source ecosystems is ongoing, professionalised, and not decreasing.

The financial-sector focus

A substantial fraction of Labyrinth Chollima activity appears focused on cryptocurrency-related and financial-sector developers. DPRK's need for foreign currency and the relatively weak defender posture of many crypto organisations align with this focus.

The implication for non-crypto organisations is not "we are safe" but "we are lower priority." A well-targeted developer at any organisation is valuable enough to warrant this level of tradecraft.

Defensive response layers

Four layers that reduce exposure:

Workstation-level defenses. EDR coverage on developer workstations with specific rules for outbound connections from npm install, pip install, and similar package manager invocations. Baseline normal; alert on outliers.

Package-manager-level defenses. npm workspace configurations that disable install scripts by default. pip install with --no-binary for packages requiring scrutiny. cargo install --locked to pin to lockfile content.

Hiring-process awareness. Train developers to recognise recruitment-based social engineering. Make sure coding challenges come through official channels, not from LinkedIn DMs directing to external GitHub repos.

Credential scope narrowing. Developer workstation credentials should be scoped so that their theft does not grant production access. The Contagious Interview pattern's value depends on the target's credentials being broadly useful; narrowing scope reduces the value of successful compromise.

The specific IoCs to watch

Threat intelligence providers publish IoCs routinely. The durable signal patterns:

• Specific C2 domains and IP ranges used for credential exfiltration.
• Hash values of specific malicious package versions.
• Behavioural patterns (outbound connections to specific ports from node, python processes during install phases).
• Recruitment-targeting pattern indicators (LinkedIn profiles with specific patterns, suspicious "coding challenge" repositories).

Subscribing to at least one threat feed that covers open-source-ecosystem activity is now table stakes for any organisation with a substantial developer population.

Signals that should trigger developer-workstation IR

• npm install producing outbound connections to unfamiliar destinations.
• Keychain/credential-store access patterns during package installation phases.
• Post-install processes persisting after the install command completes.
• Node or Python processes making anomalous network connections.

Developer workstations are often less monitored than production systems. The Labyrinth Chollima pattern specifically exploits this gap.

The contribution-based attack variant

A separate but related pattern involves attackers gaining contribution rights to legitimate open source projects through social engineering or long-term relationship-building, then planting malicious code. XZ Utils (March 2024) is the canonical example, though attribution to DPRK versus other actors is less clear there.

Labyrinth Chollima activity has shown elements of the contribution-based pattern on smaller projects. The scale has not matched XZ Utils but the tradecraft is present.

What threat intelligence cycles look like for this actor

Defender awareness of Labyrinth Chollima open-source activity typically lags new campaigns by weeks to months. The operational cycle is:

1. New campaign launches.
2. Several weeks of silent operations against selected targets.
3. One or more targets discover compromise.
4. Threat intelligence providers identify patterns, publish indicators.
5. Defensive tooling catches up.
6. Campaign tactics evolve, cycle restarts.

Defender investment that matters: being inside the first wave of updated indicator consumption, not the last. Threat feed integration latency of "weekly update" is too slow for this tempo.

How Safeguard Helps

Safeguard integrates curated open-source threat intelligence feeds and flags packages in the dependency graph whose metadata or content matches known Labyrinth Chollima-associated indicators. Griffin AI correlates package-installation anomalies on developer workstations with repository and recruitment-signal patterns to surface potential targeting early. Policy gates can restrict npm install from unexpected or low-reputation packages in developer environments and require reviewer approval for new dependency additions with elevated-risk signatures. For organisations whose developer population is a plausible Labyrinth Chollima target, Safeguard provides the specific visibility that generic SCA tooling misses.