LAZARUS Group has expanded its fake-recruiter campaigns into the cryptocurrency sector, targeting Python and JavaScript developers with a new operation codenamed Graphalgo that lures victims with lucrative job offers before delivering multi-layered malware hidden in open-source packages.
Active since May 2025, the campaign uses a modular, multi-stage infection chain designed to survive takedowns and persist in the wild, with its frontend job offers separated from the backend malicious payloads to facilitate component swaps if detected. The core weapon is a malicious npm package named bigmathutils, which appeared legitimate for a time and reportedly accumulated more than 10K downloads before a second version containing the payload was released, enabling a bait-and-switch.
According to ReversingLabs, the campaign exhibits high sophistication, long-lived activity, and a nuanced trust-building approach across GitHub, npm and PyPI, with timestamps in the malware’s Git commits aligning to GMT+9, a fingerprint pointing to North Korea. The report concludes that this is an ongoing campaign with no signs of stopping.