Full Report
Cybersecurity researchers have discovered a fresh set of malicious packages across npm and the Python Package Index (PyPI) repository linked to a fake recruitment-themed campaign orchestrated by the North Korea-linked Lazarus Group. The coordinated campaign has been codenamed graphalgo in reference to the first package published in the npm registry. It's assessed to be active since May 2025. "
Analysis Summary
# Threat Actor: Lazarus Group
## Attribution & Identity
* **Actor Identification and Attribution:** North Korea-linked Lazarus Group.
* **Known Aliases and Associated Groups:** The observed token-based C2 mechanism was previously observed in 2023 campaigns linked to North Korean hacking group **Jade Sleet** (also known as **TraderTraitor** or **UNC4899**).
## Activity Summary
* **Recent Campaigns and Operations:** The group is orchestrating a fresh, coordinated campaign codenamed **graphalgo** (after the first package in npm).
* **Timeline:** Assessed to be active since **May 2025**.
* **Campaign Theme:** A fake **recruitment-themed** campaign targeting developers, specifically those involved in **blockchain and cryptocurrency exchanges**.
* **Methodology:** The attack chain involves establishing a fake company in the blockchain/crypto space, registering domains, and creating GitHub organizations for coding assessments (using Python and JavaScript projects). The malicious payload is delivered indirectly through dependencies hosted on **npm** and **PyPI** rather than directly in the assessment repositories.
* **Infection Vector:** Developers applying for jobs found via social platforms (LinkedIn, Facebook) or forums (Reddit) are tricked into running the coding assessment projects, which pulls in the malicious dependency.
## Tactics, Techniques & Procedures
* **Supply Chain Compromise:** Poisoning open-source ecosystems (npm and PyPI) with malicious packages.
* **Social Engineering:** Utilizing fake recruitment themes and impersonating legitimate recruiters.
* **Dependency Confusion/Typosquatting:** Publishing malicious packages with benign names or versions alongside non-malicious initial versions (e.g., `bigmathutils` had a non-malicious first version).
* **Payload Delivery:** Packages act as a conduit to deploy a **Remote Access Trojan (RAT)**.
* **C2 Communication:** The RAT uses a **token-based mechanism** for C2 validation:
1. Infected system sends system data upon registration to the C2 server.
2. C2 responds with a token.
3. The token is sent back in subsequent requests to authenticate the infected system.
* **Post-Infection Actions:** The RAT supports gathering system information, enumerating files/directories, listing processes, file/folder manipulation, and initiating uploads/downloads.
* **Financial Focus:** Actively checks for the presence of the **MetaMask** browser extension, indicating an objective aligned with financial theft.
* **MITRE ATT&CK IDs:** Not explicitly provided in the context.
## Targeting
* **Sectors:** Software Development/Technology, specifically targeting developers working with or interested in **blockchain and cryptocurrency exchanges**.
* **Geography:** Not specified, but the distribution methods (LinkedIn, Reddit, npm/PyPI) suggest a broad, global reach targeting developers.
* **Victims:** Developers attending fake job interviews or coding assessments.
## Tools & Infrastructure
* **Malware Families Used:** Custom **Remote Access Trojan (RAT)**.
* **Malicious Packages (Source):**
* **npm:** `graphalgo`, `graphorithm`, `graphstruct`, `graphlibcore`, `netstruct`, `graphnetworkx`, `terminalcolor256`, `graphkitx`, `graphchain`, `graphflux`, `graphorbit`, `graphnet`, `graphhub`, `terminal-kleur`, `graphrix`, `bignumx`, `bignumberx`, `bignumex`, `bigmathex`, `bigmathlib`, `bigmathutils`, `graphlink`, `bigmathix`, `graphflowx`.
* **PyPI:** `graphalgo`, `graphex`, `graphlibx`, `graphdict`, `graphflux`, `graphnode`, `graphsync`, `bigpyx`, `bignum`, `bigmathex`, `bigmathix`, `bigmathutils`.
* **Infrastructure (C2, Domains, IPs):** External servers used for C2 communication and receiving tokens. (No specific defanged URLs/IPs provided in the context).
## Implications
* Lazarus Group continues its long-term strategy of poisoning open-source ecosystems (npm, PyPI) to achieve large-scale compromise and financial gain.
* The sophisticated recruitment theme and use of established C2 tokenization techniques show a level of dedication to developing unique infection chains targeting high-value sectors like cryptocurrency development.
## Mitigations
* Implement strict dependency scanning of all project packages before integrating them into production or running assessment code locally.
* Developers should be highly skeptical of unexpected job offers or coding assessments originating from social media or forums, especially those that involve installing dependencies from public repositories.
* Monitor network activity for unauthorized outbound connections that attempt to communicate with unknown external C2 servers, particularly those employing custom token authentication schemes.