North Korean Hackers Spread 1,700 Malicious Packages Across npm, PyPI, Go, and Rust | Security
North Korean threat actors linked to the Lazarus Group published 1,700 malicious packages across npm, PyPI, Go modules, and Rust crates in the largest multi ec…
Published on MyPrivateClaw
Apr 10, 2026, 5:08 AM UTC
Coverage date
Apr 8, 2026
Last updated
Apr 12, 2026, 10:47 AM UTC
News summary
North Korean threat actors linked to the Lazarus Group published 1,700 malicious packages across npm, PyPI, Go modules, and Rust crates in the largest multi ecosystem supply chain attack on record. The packages mimicked popular AI and machine learning libraries, including utilities that shadow LangChain helpers, Hugging Face tokenisers, and OpenAI client wrappers. Malicious packages exfiltrated API keys, environment variables, and SSH private keys on install. Anyone who ran pip install or npm install for local AI tooling in the past 30 days should audit their environments. The attack underscores why air gapped or hash pinned dependency installs are increasingly important for private AI stacks.