RESEARCHERS from ReversingLabs have found malicious npm and PyPI packages tied to a fake recruitment campaign attributed to North Korea’s Lazarus Group. The campaign, named graphalgo, has been active since the beginning of May 2025 and targets JavaScript and Python developers with fake cryptocurrency recruiter tasks. Attackers reach victims on LinkedIn, Facebook and Reddit, and conceal malicious code across GitHub, npm and PyPI.
One npm package, bigmathutils, gained over 10,000 downloads before attackers released a malicious update. The operation is described as a modular, multi-stage campaign that builds trust through fake fronted companies such as Veltrix Capital and by posting GitHub “job interview” repositories in Python and JavaScript. Attribution to Lazarus is based on patterns including fake interviews, crypto-focused lures, multistage encrypted malware, delayed updates, token-protected C2 and GMT+9 timestamps.
The campaign’s design allows attackers to swap frontends while reusing backend infrastructure, and it appears to remain ongoing. according to ReversingLabs.