As reported by The Hacker News, a sophisticated, multi-pronged attack campaign has been uncovered, targeting developers through malicious packages on npm and the Python Package Index (PyPI). The campaign, linked to the North Korea-backed Lazarus Group, utilizes a fake recruitment theme to lure unsuspecting victims.The Lazarus Group's operation, codenamed "graphalgo," began in May 2025. Threat actors impersonate recruiters on platforms like LinkedIn, Facebook, and Reddit, offering fake job opportunities at fictitious blockchain and cryptocurrency companies, such as Veltrix Capital. Developers are enticed to download code for assessments, which contain malicious dependencies hosted on npm and PyPI. Packages like "bigmathutils" on npm saw over 10,000 downloads before malicious versions were introduced.These packages deploy a remote access trojan (RAT) capable of stealing system information, manipulating files, and exfiltrating data. The RAT employs a token-based mechanism for command-and-control (C2) communication, a technique previously observed in campaigns linked to Jade Sleet. The malware also checks for the presence of the MetaMask browser extension, indicating a focus on cryptocurrency theft.Source: The Hacker News
Malware, Security Operations, Threat Intelligence, Phishing
Lazarus Group exploits npm and PyPI with fake recruitment campaign

(Adobe Stock)
Get daily email updates
SC Media's daily must-read of the most current and pressing daily news
You can skip this ad in 5 seconds



