Cybersecurity researchers have discovered a fresh set of malicious packages across npm and the Python Package Index (PyPI) repository linked to a fake recruitment-themed campaign orchestrated by the North Korea-linked Lazarus Group.
Researchers have codenamed the coordinated campaign graphalgo, referencing the first package published in the npm registry. Moreover, investigators assess that the operation has remained active since May 2025.
“Developers are approached via social platforms like LinkedIn and Facebook, or through job offerings on forums like Reddit,” Karlo Zanki, a researcher at ReversingLabs, said in a report. “The campaign includes a well-orchestrated story around a company involved in blockchain and cryptocurrency exchanges.”
Notably, one of the identified npm packages, bigmathutils, attracted more than 10,000 downloads after the first, non-malicious version appeared. However, attackers later introduced a second version containing a malicious payload.
The names of the packages appear below:
npm –
- graphalgo
- graphorithm
- graphstruct
- graphlibcore
- netstruct
- graphnetworkx
- terminalcolor256
- graphkitx
- graphchain
- graphflux
- graphorbit
- graphnet
- graphhub
- terminal-kleur
- graphrix
- bignumx
- bignumberx
- bignumex
- bigmathex
- bigmathlib
- bigmathutils
- graphlink
- bigmathix
- graphflowx
PyPI –
- graphalgo
- graphex
- graphlibx
- graphdict
- graphflux
- graphnode
- graphsync
- bigpyx
- bignum
- bigmathex
- bigmathix
- bigmathutils
Fake Blockchain Firm Used to Build Credibility
As with many job-focused campaigns conducted by North Korean threat actors, the attack chain begins when operators establish a fake company like Veltrix Capital in the blockchain and cryptocurrency trading space. Subsequently, they set up the necessary digital infrastructure to create an illusion of legitimacy.
Specifically, the threat actors register a domain and create a related GitHub organization to host several repositories for coding assessments. These repositories contain projects based on Python and JavaScript.
“Examination of these repositories didn’t reveal any obvious malicious functionality,” Zanki said. “That is because the malicious functionality was not introduced directly via the job interview repositories, but indirectly – through dependencies hosted on the npm and PyPI open-source package repositories.”
In other words, the attackers design these repositories to trick candidates who apply to job listings on Reddit and Facebook Groups into running the projects locally. As a result, victims install the malicious dependency and trigger the infection. In some cases, seemingly legitimate recruiters on LinkedIn directly contact victims.
Malicious Packages Deploy Remote Access Trojan
Ultimately, the packages act as a conduit to deploy a remote access trojan (RAT) that periodically fetches and executes commands from an external server. The malware supports commands that gather system information, enumerate files and directories, list running processes, create folders, rename files, delete files, and upload or download files.
Interestingly, the attackers protect command-and-control (C2) communication with a token-based mechanism that ensures the server accepts only requests containing a valid token. Previously, researchers observed this approach in 2023 campaigns linked to the North Korean hacking group Jade Sleet, also known as TraderTraitor or UNC4899.
The mechanism works as follows: the packages send system data during a registration step to the C2 server, which then responds with a token. Subsequently, the infected system includes this token in future requests to prove its registered status.
“The token-based approach is a similarity […] in both cases and has not been used by other actors in malware hosted on public package repositories as far as we know,” Zanki told in a report.
Overall, the findings demonstrate that North Korean state-sponsored threat actors continue to poison open-source ecosystems with malicious packages to steal sensitive data and conduct financial theft. Notably, the RAT checks whether the MetaMask browser extension appears on the infected machine, indicating a focus on cryptocurrency assets.
“Evidence suggests that this is a highly sophisticated campaign,” ReversingLabs said. “Its modularity, long-lived nature, patience in building trust across different campaign elements, and the complexity of the multilayered and encrypted malware point to the work of a state-sponsored threat actor.”
JFrog Discovers “duer-js” npm Package Delivering Bada Stealer
Meanwhile, JFrog uncovered a sophisticated malicious npm package called “duer-js,” published by a user named “luizaearlyx.” Although the library claims to serve as a utility to “make the console window more visible,” it delivers a Windows information stealer known as Bada Stealer.
The malware gathers Discord tokens, passwords, cookies, and autofill data from Google Chrome, Microsoft Edge, Brave, Opera, and Yandex Browser. Additionally, it collects cryptocurrency wallet details and system information. The attackers then exfiltrate the stolen data to a Discord webhook and use the Gofile file storage service as a backup channel.
“In addition to stealing information from the host it infected, the malicious package downloads a secondary payload,” security researcher Guy Korolevski said. “This payload is designed to run on the Discord Desktop app startup, with self-updating capabilities, stealing directly from it, including payment methods used by the user.”
XPACK ATTACK Uses npm to Extort Cryptocurrency Payments
At the same time, researchers uncovered another malware campaign that weaponizes npm to extort cryptocurrency payments from developers during package installation via the “npm install” command. OpenSourceMalware first recorded the campaign on February 4, 2026, and dubbed it XPACK ATTACK.
duer-js malicious package flow, hijacking Discord’s Electron environment
The packages, all uploaded by a user named “dev.chandra_bose,” include:
- xpack-per-user
- xpack-per-device
- xpack-sui
- xpack-subscription
- xpack-arc-gateway
- xpack-video-submission
- test-npm-style
- xpack-subscription-test
- testing-package-xdsfdsfsc
“Unlike traditional malware that steals credentials or executes reverse shells, this attack innovatively abuses the HTTP 402 ‘Payment Required’ status code to create a seemingly legitimate payment wall,” security researcher Paul McCarty said. “The attack blocks installation until victims pay 0.1 USDC/ETH to the attacker’s wallet, while collecting GitHub usernames and device fingerprints.”
“If they refuse to pay, the installation simply fails after wasting 5+ minutes of their development time, and they may not even realize they’ve encountered malware versus what appeared to be a legitimate paywall for package access.”
Source: TheHackerNews
Read more at Impreza News
