Malicious npm and PyPI packages Llinked to Lazarus APT fake recruiter campaign
Malicious npm and PyPI packages Llinked to Lazarus APT fake recruiter campaign
Publish Date: 2026-02-15 13:13:28
Source Domain: securityaffairs.com
Summary:
The article by Pierluigi Paganini reveals a new malicious operation involving npm and PyPI packages linked to North Korea’s Lazarus Group. A ReversingLabs researcher uncovered a fake recruitment campaign, termed ‘graphalgo’, that tricks developers into downloading harmful packages disguised as job interview tasks or blockchain-related projects. The campaign, active since May 2025, consists of multiple stages where fake crypto-focused companies and LinkedIn recruiter profiles deceive targets on social media and professional networks. The primary phase involves luring developers through fake interview tasks that hide malicious code and ultimately deliver malware such as a Remote Access Trojan (RAT) with financial theft motives. Researchers tie the campaign to the Lazarus Group based on its long history of utilizing deceptive job recruiting techniques and malware structures.
Key Points:
- The campaign ‘graphalgo’ deployed by the Lazarus Group targets developers through fake job recruitment campaigns involving malicious npm and PyPI packages.
- Attackers fake legitimate blockchain companies and leverage social media to lure victims; they use deceptive interview tasks containing hidden malicious code.
- The Lazarus Group employs a multistage operation which includes fake interviews, crypto lures, and complex, encrypted malware designed to steal cryptocurrency assets.
- Attribution to Lazarus is suggested by repeated patterns such as fake job interviews, cryptocurrency focus, multistage encrypted malware, and a modular campaign design allowing ongoing updates.
- The sophisticated and long-term nature of the campaign highlights Lazarus’ persistent threat to the software supply chain.
