Cybersecurity researchers discovered a set of malicious packages across npm and Python Package Index (PyPI) repositories linked to a fake recruitment-themed campaign organized by the North Korean-linked Lazarus Group.
This coordinated campaign is codenamed graphalgo, after the first package published on the npm registry. It is rated as being active since May 2025.
“Developers are being approached through job postings on social platforms such as LinkedIn and Facebook, or on forums such as Reddit,” Carlo Zanchi, a researcher at ReversingLabs, said in the report. “This campaign includes well-crafted stories about companies involved in blockchain and crypto exchanges.”
In particular, one of the identified npm packages, bigmathutils, garnered over 10,000 downloads after the initial non-malicious version was published before a second version with a malicious payload was released. The names of the packages are listed below –
npm –
graphalgographorithmgraphstructgraphlibcorenetstructgraphnetworkxterminalcolor256graphkitxgraphchaingraphfluxgraphorbitgraphnetgraphhubterminal-kleurgraphrix bignumx bignumberx bignumex bigmathex bigmathlib bigmathutilsgraphlink bigmathixgraphflowx
Pipi –
graphalgographexgraphlibxgraphdictgraphfluxgraphnodegraphsync bigpyx bignum bigmathex bigmathix bigmathutils
Like many work-focused campaigns carried out by North Korean threat actors, the attack chain begins by establishing a fake company like Veltrix Capital in the blockchain and cryptocurrency trading space, then setting up the necessary digital real estate to create the illusion of legitimacy.
This includes registering a domain and creating an associated GitHub organization to host multiple repositories for use in coding assessments. These repositories have been found to contain projects based on Python and JavaScript.
“Our examination of these repositories did not reveal any obvious malicious functionality,” Zinke said. “That’s because the malicious functionality was not introduced directly through the Job Interview repository, but indirectly through dependencies hosted on npm and PyPI open source package repositories.”
The idea behind setting up these repositories is to trick candidates applying to job postings on Reddit or Facebook groups into running the project on their machines, effectively installing malicious dependencies and causing an infection. In some cases, victims are contacted directly by seemingly legitimate recruiters on LinkedIn.
The package ultimately serves as a conduit to deploy a remote access trojan (RAT) that periodically retrieves and executes commands from an external server. It supports various commands to collect system information, enumerate files and directories, list running processes, create folders, rename files, delete files, and upload/download files.
Interestingly, command and control (C2) communications are secured by a token-based mechanism that ensures that only requests with valid tokens are accepted. This approach was previously observed in a 2023 campaign associated with a North Korean hacking group called Jade Sleet, also known as TraderTraitor or UNC4899.
Basically it works like this: The package sends system data to the C2 server as part of the registration step, and the C2 server responds with a token. This token is sent back to the C2 server in subsequent requests to verify that it is from an already registered infected system.
“Token-based approaches are similar […] In both cases, to our knowledge, they have not been used by other attackers in malware hosted in public package repositories,” Zanki told Hacker News at the time.
Our findings indicate that North Korean state-sponsored threat actors continue to contaminate the open source ecosystem with malicious packages for the purpose of stealing sensitive data and financial theft, as evidenced by the RAT’s checks to determine if a machine has the MetaMask browser extension installed.
“Evidence suggests this is a highly sophisticated campaign,” ReversingLabs said. “Their modularity, long-lived nature, perseverance in building trust across various campaign elements, and the multi-layered and encrypted complexity of the malware point to state-sponsored attackers.”
More malicious npm packages found
This disclosure comes after JFrog discovered a sophisticated malicious npm package called ‘duer-js’ published by a user named ‘luizaearlyx’. This library claims to be a utility that “makes console windows easier to read,” but it hides a Windows information stealer called Bada Stealer.
It can collect Discord tokens, passwords, cookies, autofill data from Google Chrome, Microsoft Edge, Brave, Opera, Yandex browsers, cryptocurrency wallet details, and system information. The data is then extracted to the Discord webhook as well as to the Gofile file storage service as a backup.
“The malicious package not only steals information from the infected host, but also downloads a secondary payload,” said security researcher Guy Korolewski. “This payload is designed to run on launch of the self-updating Discord desktop app and directly steals information such as payment methods used by users.”
This also coincides with the discovery of another malware campaign that weaponizes npm to extort cryptocurrency payments from developers during package installation using the “npm install” command. This campaign was first recorded on February 4, 2026 and is called XPACK ATTACK by OpenSourceMalware.
duer-js malicious package flow hijacks Discord’s Electron environment
All package names were uploaded by a user named ‘dev.chandra_bose’ and are listed below.
xpack-per-user xpack-per-device xpack-sui xpack-subscription xpack-arc-gateway xpack-video-submission test-npm-style xpack-subscription-test testing-package-xdsfdsfsc
“Unlike traditional malware that steals credentials or executes a reverse shell, this attack innovatively exploits the HTTP 402 ‘Payment Required’ status code to build a wall of seemingly legitimate payments,” said security researcher Paul McCarty. “This attack blocks installation until the victim pays 0.1 USDC/ETH into the attacker’s wallet, while collecting GitHub usernames and device fingerprints.”
“If you refuse to pay, you’ll only waste more than five minutes of development time, the installation will fail, and you might not even realize you’ve encountered malware against what appeared to be a legitimate paywall for package access.”
Source link
