ReversingLabs uncovered a modular fake recruitment campaign named graphalgo that uses deceptive blockchain job tasks to distribute malicious npm and PyPI packages to JavaScript and Python developers. The operation, attributed to the North Korea-linked Lazarus Group, deploys fake companies like Veltrix Capital, staged interview repositories, and delayed malicious package updates that ultimately deliver a RAT targeting crypto wallets and enabling remote control. #LazarusGroup #graphalgo
Keypoints
- ReversingLabs identified the βgraphalgoβ campaign active since May 2025 delivering malicious npm and PyPI packages.
- Attackers pose as a blockchain recruiter (Veltrix Capital) and publish fake interview tasks that depend on malicious packages.
- Malicious dependencies first build trust with benign updates before releasing RAT payloads that enable file access, command execution, and crypto wallet checks.
- The campaign spreads through LinkedIn, Facebook, Reddit, GitHub, npm, and PyPI and scaled with packages like bigmathutils that reached 10,000+ downloads.
- Attribution to Lazarus is based on repeated tactics including crypto lures, delayed updates, token-protected C2, and GMT+9 timestamps.