Researchers studying cybersecurity have found a new set of malicious packages in npm and the Python Package Index (PyPI) repository that are connected to a phony recruitment campaign that was planned by the Lazarus Group, which has ties to North Korea This article explores malicious packages npm. . In honor of the first package to be published in the npm registry, the coordinated campaign has been codenamed graphalgo.

According to assessments, it has been operational since May 2025. Interestingly, bigmathutils, one of the detected npm packages, received over 10,000 downloads following the release of the first, non-malicious version and prior to the release of the second version with a malicious payload.

Below is a list of the package names. - npm - graphalgo graphorithm graphsConstruct graphlibcore netstruct graphnetworkx terminalcolor256 graphkitx graphchain graphflux graphorbit graphnet graphhub terminal-kleur graphrix bignumx bignumberx bignumex bigmathex bigmathlib bigmathutils graphlink Bigmathix graphflowx PyPI-graphalgo graphex graphlibx graphdict graphflux graphnode graphsync bigpyx bignum bigmathex bigmathix bigmathutils The attack chain starts with the creation of a phony business, such as Veltrix Capital, in the blockchain and cryptocurrency trading space, followed by the setup of the required digital real estate to give the appearance of legitimacy, as is the case with many job-focused campaigns carried out by North Korean threat actors. It can collect cryptocurrency wallet details, system information, and Discord tokens, passwords, cookies, and autofill data from Google Chrome, Microsoft Edge, Brave, Opera, and Yandex browsers.

Security researcher Guy Korolevski stated, "The malicious package downloads a secondary payload in addition to stealing information from the host it infected." The data is then exfiltrated to a Discord webhook and the backup Gofile file storage service. "With its self-updating capabilities, this payload is made to run at the start of the Discord Desktop app and steal directly from it, including the user's payment methods."

It also comes at the same time that another malware campaign was found that uses the "npm install" command to extort cryptocurrency payments from developers while they are installing packages. OpenSourceMalware has named the campaign XPACK ATTACK, which was first discovered on February 4, 2026.