The North Korean hacker collective Lazarus has started a new malware campaign This article explores malware campaign graphalgo. . The "Graphalgo" attack primarily targets developers who work with Python and JavaScript.

The campaign deceives developers into downloading malicious software by using malicious coding tasks associated with cryptocurrency job offers. In order to make it difficult for victims to identify, it has been operating since May 2025 and uses multiple layers of deception through reliable services like GitHub, npm, and PyPI. Malicious Job Offers and Fake Companies The fictitious business "Veltrix Capital" is at the center of the Graphalgo campaign. This business claims to be active in cryptocurrency trading and blockchain.

However, a glaring red flag is the absence of specific information about leadership and contact information on the company's April 2025 website.

The organization was used by the Lazarus Group to fabricate employment offers, especially for technical positions like DevOps. These job offers were disseminated on social media sites like Facebook, Reddit, and LinkedIn, where prospective employees were asked to complete coding exercises meant to assess their abilities. Despite their seeming legitimacy, these job tasks are frequently connected to GitHub and npm repositories.

For instance, developers were required to work on GitHub projects that contained packages like graphnetworkx and bigmathutils, which appeared to be innocuous. One of the job tasks involves malicious dependency (Source: reversinglabs). Although these packages were safe at first, the attackers released a malicious update that covertly installed malware on developers' systems after a sizable number of developers downloaded them.

The Modular Approach and Malevolent Dependencies The Graphalgo campaign's modular design is what makes it so successful. The threat actor employs several layers of deception, including phony businesses, job offers, and open-source packages, rather than depending on a single point of failure. landing page for a repository that was created by the victim (Source: reversinglabs) Even if one aspect of the campaign is revealed or shut down, Lazarus can still carry on thanks to these layers.

Public repositories such as npm (for JavaScript) and PyPI (for Python) are used to distribute the malware. To make the malicious files look authentic, the attackers use well-known package names like networkx and graphlib. These dependencies, which were frequently included with the job task repositories, allowed the malware to run on victims' computers after they were downloaded.

It's interesting to note that the attackers employed patience. For instance, before the malicious version was made public, the bigmathutils package on npm had received over 10,000 downloads. This tactic made sure the malware had already proliferated before the attack was discovered.

A remote access trojan (RAT), the attack's last payload, gave hackers the ability to take over compromised systems, steal information, and even keep an eye on activity in cryptocurrency wallets. The RAT could execute arbitrary commands on compromised systems and communicated with a command-and-control server. Reddit post advertising a fictitious Veltrix Capital job (Source: reversinglabs) This campaign draws attention to how sophisticated state-sponsored cyberattacks are becoming.

This latest campaign from Lazarus Group, which has continuously targeted developers in open-source ecosystems, serves as a reminder of the dangers of downloading software from unreliable sources. Since phony job offers and stories about cryptocurrencies are frequently used in cyberattacks, developers must be on the lookout for these social engineering scams and avoid falling for them. ReversingLabs is keeping an eye on the situation as part of ongoing research and will keep you updated.

Unsolicited job offers should raise suspicions among developers, particularly if they ask them to download or run coding tests from external repositories.