News

Security analysts have identified a cluster of hostile packages uploaded to the npm and PyPI registries that are tied to a recruitment-style operation attributed to the North Korea-linked Lazarus Group. The intrusion effort, tracked under the label “graphalgo” after the initial npm package detected, appears to have been in motion since May 2025.

According to ReversingLabs researcher Karlo Zanki, the operators reach out to prospective targets through social media platforms such as LinkedIn and Facebook, and by posting job opportunities on sites like Reddit. The threat actors constructed a credible-sounding narrative around a fictitious organization focused on blockchain and crypto exchange services to lure candidates into engagement.

One notable example is the npm package bigmathutils: an early, benign release accumulated more than 10,000 downloads before a later version was pushed containing malicious code. The researchers cataloged numerous package names associated with the campaign. The npm packages observed include:

graphalgo
graphorithm
graphstruct
graphlibcore
netstruct
graphnetworkx
terminalcolor256
graphkitx
graphchain
graphflux
graphorbit
graphnet
graphhub
terminal-kleur
graphrix
bignumx
bignumberx
bignumex
bigmathex
bigmathlib
bigmathutils
graphlink
bigmathix
graphflowx

The PyPI packages tied to the operation are listed as:

graphalgo
graphex
graphlibx
graphdict
graphflux
graphnode
graphsync
bigpyx
bignum
bigmathex
bigmathix
bigmathutils

As with several prior job-focused intrusions linked to DPRK actors, the campaign’s playbook involved building a veneer of legitimacy: registering a domain, creating a GitHub organization and populating it with repositories intended for coding assessments. Those repositories—containing Python and JavaScript projects—looked harmless on inspection because the actual malicious behavior was not embedded directly in the interview code. Instead, the infection was introduced via dependencies pulled from public package registries.

Zanki explained that candidates were duped into executing the supplied projects locally when completing coding tests, which caused their systems to install the hostile dependency and initiate compromise. In other scenarios, job-seekers were contacted directly by convincing recruiter profiles on LinkedIn.

The malicious packages serve as delivery mechanisms for a remote access trojan (RAT). Once deployed, the RAT periodically polls a command-and-control (C2) server and accepts instructions that allow the attacker to collect system details, enumerate files and directories, enumerate running processes, create and rename folders/files, delete items, and transfer files to and from the victim machine.

Communication with the C2 is gated by a token-based system so only clients that present a valid token are serviced. This registration flow—where an infected host submits identifying data, receives a token, and then must present that token for subsequent requests—mirrors techniques observed in 2023 operations connected to a North Korean cluster known as Jade Sleet (aka TraderTraitor / UNC4899).

Zanki noted that the token mechanism is a notable similarity between the campaigns and, as far as current analysis shows, uncommon among other actors abusing public package repositories. The researchers also highlighted the RAT’s checks for the presence of the MetaMask browser extension, underlining the campaign’s probable aim at credential and crypto-theft.

ReversingLabs characterized the operation as highly advanced, pointing to its modular architecture, the long-term nature of the effort, the careful trust-building across multiple campaign components, and the layered, encrypted malware as indicators of state-sponsored activity.

Independent research has also uncovered other malicious npm activity. JFrog reported a deceptive package named “duer-js,” published by a user identified as “luizaearlyx.” Marketed as a utility to “make the console window more visible,” the package actually contains a Windows information stealer known as Bada Stealer. JFrog’s analysis shows it harvests Discord tokens, saved passwords, browser cookies and autofill data from Google Chrome, Microsoft Edge, Brave, Opera and Yandex, collects cryptocurrency wallet data and system metadata, and exfiltrates those artifacts to a Discord webhook and to the Gofile storage service as redundancy.

Security researcher Guy Korolevski added that the du er-js package also drops a secondary payload designed to execute when the Discord Desktop application starts. That component can update itself and directly steal information from Discord, including payment methods.

At the same time, another campaign weaponized npm to coerce developers into making cryptocurrency payments during package installation. Tracked by OpenSourceMalware and labeled XPACK ATTACK, this scheme was first observed on February 4, 2026. The malicious packages, uploaded by a user named “dev.chandra_bose,” include:

xpack-per-user
xpack-per-device
xpack-sui
xpack-subscription
xpack-arc-gateway
xpack-video-submission
test-npm-style
xpack-subscription-test
testing-package-xdsfdsfsc

Rather than exfiltrate credentials or spawn remote shells, the attackers abused the HTTP 402 “Payment Required” response to erect a fake paywall during installation. As described by researcher Paul McCarty, the installation process halts until the developer pays roughly 0.1 USDC/ETH to an attacker-controlled wallet, while the operation collects GitHub usernames and device fingerprinting data. If the target declines payment, the installation eventually fails after consuming several minutes of the developer’s time, making the encounter easy to mistake for a legitimate paid-access restriction.

Taken together, these discoveries underline a persistent trend: nation-state and opportunistic cybercriminal groups are increasingly using open-source package registries as vectors to distribute malware, harvest credentials and monetize access. Developers and organizations should exercise extra caution when pulling new or unfamiliar dependencies, validate package provenance, and monitor for unexpected network activity during builds and runtime.