graphalgo

Researchers found malicious npm and PyPI packages tied to the Lazarus Group in a recruitment themed campaign active since May 2025. One npm package exceeded 10,000 downloads before a malicious update was published.