Malware, Security Operations, Threat Intelligence, Phishing

Lazarus Group exploits npm and PyPI with fake recruitment campaign

Computer keyboard, close-up button of the flag of North Korea.

As reported by The Hacker News, a sophisticated, multi-pronged attack campaign has been uncovered, targeting developers through malicious packages on npm and the Python Package Index (PyPI). The campaign, linked to the North Korea-backed Lazarus Group, utilizes a fake recruitment theme to lure unsuspecting victims.

The Lazarus Group's operation, codenamed "graphalgo," began in May 2025. Threat actors impersonate recruiters on platforms like LinkedIn, Facebook, and Reddit, offering fake job opportunities at fictitious blockchain and cryptocurrency companies, such as Veltrix Capital. Developers are enticed to download code for assessments, which contain malicious dependencies hosted on npm and PyPI. Packages like "bigmathutils" on npm saw over 10,000 downloads before malicious versions were introduced.

These packages deploy a remote access trojan (RAT) capable of stealing system information, manipulating files, and exfiltrating data. The RAT employs a token-based mechanism for command-and-control (C2) communication, a technique previously observed in campaigns linked to Jade Sleet. The malware also checks for the presence of the MetaMask browser extension, indicating a focus on cryptocurrency theft.

Source: The Hacker News

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

You can skip this ad in 5 seconds