A new variation of a fake recruiter campaign attributed to North Korea’s Lazarus group targets JavaScript and Python developers with cryptocurrency-related coding tasks that trick applicants into running malicious repositories. Researchers uncovered 192 malicious npm and PyPI packages dubbed “Graphalgo” that deliver a modular RAT capable of MetaMask theft, token‑protected C2, remote command execution, and data exfiltration; impacted developers should rotate credentials and reinstall their OS. #Graphalgo #Lazarus
Keypoints
- Threat actors post fake blockchain and crypto-trading job offers and use coding tests to get targets to run infected code.
- ReversingLabs found 192 malicious packages on npm and PyPI associated with the campaign, named Graphalgo.
- The malicious packages act as downloaders for a RAT that can list processes, execute commands, exfiltrate files, drop payloads, and check for MetaMask.
- The campaign is modular with delayed activation and token-protected C2, and attribution to Lazarus is supported by TTPs and GMT+9 Git commits.
- Researchers recommend rotating all tokens and passwords and reinstalling affected systems after removing the malicious packages.