Fake Crypto Job Recruiters Trick Developers Into Installing Malware via Coding Challenges
scsecFebruary 18, 20261 Mins read 
Fake Job Recruiters Use Coding Challenges to Deploy Malware on Developers’ Systems
A new campaign targeting JavaScript and Python developers has been uncovered, in which fake recruiters disguise malware as cryptocurrency-related coding tasks. The activity, ongoing since May 2025, is modular, allowing threat actors to resume operations even if partially disrupted.
The campaign has been dubbed Graphalgo by researchers at ReversingLabs, who link it to North Korean threat actors, most likely the Lazarus Group.
How the Campaign Works
Threat actors create fake companies in the blockchain and crypto-trading sectors and post job listings on platforms such as LinkedIn, Facebook, and Reddit.
Developers applying for these positions are asked to run, debug, or improve coding projects as part of the recruitment process. However, this step is a trap:
- Running the project automatically installs a malicious dependency from legitimate repositories like npm and PyPI.
- The malicious packages then deliver a remote access trojan (RAT) to the developer’s system.
- GitHub repositories appear clean, while malicious code is injected indirectly via dependencies hosted elsewhere.
Malicious Packages and Variants
ReversingLabs discovered 192 malicious packages linked to Graphalgo.
- Early packages contained “graph” in their names to mimic legitimate libraries like graphlib.
- Since December 2025, the actor shifted to packages containing “big” in the name.
- Packages such as bigmathutils, with over 10,000 downloads, were benign initially but introduced malicious payloads in later versions, then deprecated to cover tracks.
The campaign includes multiple variants written in JavaScript, Python, and VBS, targeting a broad range of developers.
Capabilities of the RAT
Once installed, the RAT can:
- List running processes
- Execute arbitrary commands from a token-protected command-and-control (C2) server
- Exfiltrate files and deploy additional payloads
- Detect if the MetaMask cryptocurrency extension is installed, indicating a focus on money theft
The malware is designed to remain stealthy, with delayed activation and modular components—a hallmark of Lazarus Group operations. Git commit timestamps also suggest the GMT +9 time zone, consistent with North Korea.
Recommendations for Developers
Developers who may have installed these malicious packages should:
- Rotate all account passwords and API tokens immediately
- Reinstall their operating system to ensure complete removal of the malware
- Exercise caution when running code from unfamiliar or unverified sources, even in recruitment or interview contexts
1 Comment
Leave a Reply
Related Articles
287 Chrome Extensions Leak Browsing Data of 37.4 Million Users to Major Corporations
287 Chrome Extensions Leak Private Browsing Data of 37.4 Million Users A...
DNS-Powered ClickFix Attack Delivers PowerShell Malware and ModeloRAT to Windows Systems
New ClickFix Attack Uses DNS to Deliver PowerShell Payloads Researchers at Microsoft...
Hijacked Google Ads and Fake Claude AI Pages Used to Deliver MacSync Malware to macOS Users
ClickFix Campaign Uses Hijacked Google Ads and Fake Claude AI Guides to...
ZeroDayRAT: Telegram-Sold Spyware Enables Full Android and iOS Surveillance and Financial Theft
ZeroDayRAT Emerges as Powerful Cross-Platform Mobile Spyware Sold on Telegram Cybersecurity researchers...
“This is a strong warning for developers: never run code from unverified sources, even for job interviews or coding challenges. Malicious packages can install RATs and steal sensitive data, including cryptocurrency information.”