Malicious npm and PyPI Packages Linked to Lazarus Fake Recruiter Campaign

Security researchers have uncovered a sophisticated fake recruitment campaign distributing malicious npm and PyPI packages to developers. The operation, dubbed “graphalgo,” has been attributed to the North Korea-linked Lazarus Group and specifically targets JavaScript and Python developers with blockchain-related lures.

The campaign blends social engineering, staged job interviews, and delayed malware deployment to compromise developer systems and ultimately target cryptocurrency assets.

Fake Recruiters and Blockchain Job Lures

Attackers posed as recruiters from fabricated companies such as Veltrix Capital, approaching developers with enticing blockchain development roles. Victims were invited to complete coding assignments hosted in seemingly legitimate Git repositories as part of a staged interview process.

The tasks appeared harmless and professionally structured, increasing credibility and reducing suspicion.

Malicious npm and PyPI Packages

As part of the interview workflow, candidates were instructed to install specific npm or PyPI packages to complete the assignment. These packages initially appeared benign but were later updated to include malicious code.

This delayed-update tactic allowed the packages to pass initial scrutiny and automated scanning before deploying their true payload.

Modular Malware Delivery

The graphalgo campaign used a modular infection chain. Once the malicious package was activated, it downloaded additional components designed to establish persistence and enable remote access.

The final payload delivered a remote access trojan (RAT), giving attackers control over infected machines.

Targeting Crypto Wallets

The RAT included functionality to search for and exfiltrate cryptocurrency wallet data. Given Lazarus Group’s history of financially motivated operations targeting crypto exchanges and blockchain developers, this objective aligns with previous campaigns.

Compromised systems could allow attackers to steal private keys, drain wallets, or gain access to developer credentials tied to blockchain projects.

Attribution to Lazarus Group

Researchers attributed the campaign to the Lazarus Group based on infrastructure overlap, tooling similarities, and tactics consistent with prior North Korea-linked operations. The group has repeatedly used fake job offers as an entry vector, particularly targeting individuals in the cryptocurrency and technology sectors.

Why Developers Are High-Value Targets

Developers often have elevated system privileges, access to source code repositories, and credentials for cloud services and financial platforms. Compromising a single developer can provide attackers with access to broader supply chains and digital assets.

The use of trusted package ecosystems like npm and PyPI further increases the reach and potential impact of such campaigns.

Defensive Recommendations

Developers and organizations should:

• Verify recruiter identities and company legitimacy before engaging in coding assignments
• Avoid installing packages from unverified sources
• Monitor dependencies for unexpected updates
• Use dependency scanning and integrity verification tools
• Store cryptocurrency keys in secure hardware wallets rather than local files

A Growing Supply Chain Threat

The graphalgo campaign underscores the evolving nature of supply chain attacks targeting developer ecosystems. By combining social engineering with malicious package distribution, Lazarus has demonstrated once again how trusted platforms and professional networking channels can be weaponized.

As open-source ecosystems continue to power modern software development, vigilance around dependency management and recruiter outreach will be critical to reducing risk.