Lazarus Group’s latest software supply chain operation is using fake recruiter lures and popular open‑source ecosystems to deliver malware to cryptocurrency‑focused developers quietly.
The campaign, dubbed graphalgo, abuses GitHub, npm, and PyPI to hide multi‑stage payloads behind seemingly legitimate coding tasks and packages.
Since early May 2025, attackers have been approaching JavaScript and Python developers via LinkedIn, Facebook, and Reddit forums with “test” tasks that appear to be part of a normal interview process.
To support the ruse, the attackers built a fake company persona called “Veltrix Capital,” complete with domains like veltrixcap[.]org and veltrixcapital[.]ai and corresponding GitHub organizations hosting coding projects.
According to new research from ReversingLabs, Graphalgo is a fresh branch of a long‑running North Korean Lazarus Group operation that targets developers with job offers tied to blockchain and crypto exchanges.
These sites publish generic, likely AI‑generated content to look like a real crypto trading firm while avoiding specifics that would be easy to verify.
Fake Recruiter Campaign
Under the Veltrix‑branded GitHub accounts, the threat actors published multiple repositories with names such as test‑url‑monitoring and test‑devops‑orchestrator in both JavaScript and Python.
The campaign includes a malicious npm package, bigmathutils, which collected more than 10K downloads since publishing the original, non-malicious version.
At first glance the projects look like standard DevOps or monitoring assignments and do not contain obvious malicious code.
The trap is hidden in dependencies: job task templates include packages like graphnetworkx from npm, which targeted developers then inherit into their own forked repositories when they accept and run the assignment.
Once the candidate runs “npm install” or the equivalent to begin work, the malicious dependency executes, giving the attackers a foothold on the developer’s machine before any red flags appear.
ReversingLabs links graphalgo to two families of malicious or impersonating packages hosted on npm and PyPI.
- “Graph” packages: These appeared from May 2025 and mimic legitimate graphlib (npm) and networkx (PyPI), and were directly used in Veltrix‑branded interview tasks.
- “Big” packages: A second wave, starting December 2025, uses names containing “big” and appears to support another, still‑undiscovered front‑end campaign.
One standout example is the npm package payload bigmathutils, which initially shipped as a benign utility and accumulated over 10,000 downloads before a malicious version 1.1.0 was pushed just before February 11, 2026.
Several compromised developers were identified via repositories and contacted for more information about the incident.Some of them came upon a job advertisement in forums like Reddit or dedicated Facebook Groups.
That update carried the same downloader payload seen in earlier graphalgo‑linked packages and was quickly removed, with the package then marked deprecated a likely attempt by the attackers to erase traces of the weaponized release after seeding infections.
Remote‑access Trojan and C2 tricks
The malicious npm and PyPI packages in this campaign act as first‑stage loaders that pull down a remote‑access trojan (RAT) from attacker‑controlled infrastructure.
The RAT can download and upload files, list processes, and execute arbitrary commands, giving Lazarus broad control over compromised developer systems.
Notably, the command‑and‑control (C2) channel uses token‑protected communication, refusing commands that lack a valid token issued during agent registration a technique seen in prior North Korean‑linked npm campaigns.
The malware also checks for the presence of the MetaMask browser extension, highlighting a clear focus on stealing cryptocurrency assets or accessing environments that manage digital wallets.
ReversingLabs attributes graphalgo to Lazarus Group based on a series of recurring tradecraft patterns from earlier North Korean operations.
These include fake job interviews targeting developers, crypto‑themed stories, multi‑stage malware with layered obfuscation, token‑protected C2 infrastructure, and delayed activation of malicious package versions after trust and download counts are built up.
Git commit timestamps aligned with GMT+9, North Korea’s time zone, further support the link, as do similarities to past campaigns like VMConnect that abused PyPI and GitHub in almost identical ways.
Researchers warn that graphalgo’s modular design lets Lazarus swap front‑end brands like Veltrix while keeping the same back‑end payload and infrastructure, meaning more fake companies, packages, and coding tests are likely on the way.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
