CYBERSECURITY researchers have linked a new wave of malicious packages in the npm and Python Package Index (PyPI) repositories to a fake recruitment-themed campaign attributed to the North Korea‑linked Lazarus Group. The operation, codenamed graphalgo, began with a benign first package in npm and is assessed to have been active since May 2025.
The attackers cultivate trust by contacting developers on social platforms such as LinkedIn and Facebook or through Reddit job postings, and by building an air of legitimacy around a company involved in blockchain and cryptocurrency exchanges. One npm package, bigmathutils, drew over 10,000 downloads before a second, malicious version was released; the campaigns list includes numerous packages in both npm and PyPI, such as graphalgo, graphlibx, bigmathutils and xpack-subscription.
The malicious packages ultimately deploy a remote access trojan that fetches and executes commands from an external server, using a token‑based C2 communication scheme to verify infected hosts.