Malicious packages linked to the North Korea linked Lazarus Group were found on the npm and Python Package Index repositories in a recruitment themed campaign active since May 2025, with one npm package recording more than 10,000 downloads before a malicious update.
KEY FACTS
- Incident Malicious packages published to npm and PyPI used as dependencies
- Actor North Korea linked Lazarus Group
- Campaign name codenamed graphalgo
- Impact one npm package had over 10,000 downloads before a malicious update
In a technical analysis published by ReversingLabs, researcher Karlo Zanki wrote that the campaign used fake recruiter profiles and a fabricated blockchain company to build trust and recruit developers.
Attackers created a domain and a GitHub organization and posted coding assessment repositories that appeared benign. The repositories themselves did not contain obvious malicious code because the threat was delivered through dependencies hosted on public package registries.
The malicious packages deploy a remote access trojan that periodically fetches and executes commands from a command and control server. The trojan can collect system information, enumerate files and processes, create and modify files, and upload and download data.
Command and control communication uses a token based mechanism where an infected system registers and receives a token that must be included in subsequent requests. The malware also checks for the presence of the MetaMask browser extension, indicating a goal of targeting cryptocurrency wallets.
WHY IT MATTERS
The campaign demonstrates continued abuse of open source package ecosystems to deliver long lived, modular malware that can compromise developer machines and steal financial data. Organizations and developers should review dependency provenance and avoid running untrusted code from recruitment exercises.