Recent investigations by cybersecurity experts have uncovered a series of malicious packages on npm and PyPI, linked to a deceptive recruitment campaign led by the North Korea-associated Lazarus Group. This operation, known as ‘graphalgo’, has been active since May 2025, exploiting platforms such as LinkedIn and Reddit to lure developers.
Deceptive Tactics of the Lazarus Group
The Lazarus Group’s strategy involves posing as a legitimate company, Veltrix Capital, supposedly operating in the blockchain and cryptocurrency industry. By creating an illusion of authenticity, they reach out to developers with fake job offers. These developers are then directed to repositories on GitHub, designed to appear as part of coding assessments, which secretly harbor malicious code.
While the repositories themselves seem benign, the danger lies in the dependencies hosted on npm and PyPI. These dependencies, once incorporated into projects by unsuspecting developers, execute harmful payloads on the developers’ systems. The npm package ‘bigmathutils’, for example, had over 10,000 downloads before its second, compromised version was released.
Technical Breakdown of the Attack
The malicious packages are primarily conduits for deploying a remote access trojan (RAT). This RAT can execute various commands, such as gathering system information and manipulating files, all communicated through a secure token-based system. This method was previously seen in 2023 campaigns by another North Korean hacking group, Jade Sleet.
Once the system is compromised, the RAT communicates with an external server, confirming its legitimacy through a token exchanged during the initial connection. This ensures that only infected systems can interact with the server, maintaining the operation’s stealth.
Broader Implications and Ongoing Threats
The findings highlight the persistent threat posed by state-sponsored actors like the Lazarus Group, who continuously target open-source ecosystems. Their sophisticated operations aim not only to steal sensitive information but also to execute financial theft, as indicated by the RAT’s ability to detect the MetaMask browser extension.
In a related development, JFrog has reported discovering another malicious npm package, ‘duer-js’, which acts as an information stealer targeting Windows systems. This package collects data such as browser details and cryptocurrency wallet information, exploiting Discord as a channel for data exfiltration.
These revelations underscore the importance of vigilance in the open-source community and the need for robust security measures to protect against such insidious threats. As these campaigns evolve, developers must remain alert to avoid falling victim to these sophisticated traps.
