The notorious North Korean Lazarus Group has launched “Graphalgo,” a sophisticated fake-recruiter campaign targeting Python and JavaScript developers in the cryptocurrency sector by luring them with lucrative job offers. The operation uses a modular, multi-stage infection chain that hides malicious payloads in open-source packages—most notably the npm package bigmathutils—and leverages public services like GitHub, npm, and PyPI to persist and evade takedowns. #LazarusGroup #Graphalgo #bigmathutils #npm #PyPI
Keypoints
- Lazarus Group targets crypto-focused Python and JavaScript developers through fake recruiter profiles on social platforms.
- Graphalgo lures victims with coding tasks that require downloading packages from public repositories like npm and PyPI.
- The npm package bigmathutils was weaponized after gaining trust, collecting over 10K downloads before a malicious update.
- The malware is a modular, encrypted, multi-stage infection chain designed to survive takedowns and swap components easily.
- Timestamps and other indicators point to a North Korean origin, and ReversingLabs warns the campaign is ongoing.