Home News Fake Crypto Job Recruiters Trick Developers Into Installing Malware via Coding Challenges
News

Fake Crypto Job Recruiters Trick Developers Into Installing Malware via Coding Challenges

162

Fake Job Recruiters Use Coding Challenges to Deploy Malware on Developers’ Systems

A new campaign targeting JavaScript and Python developers has been uncovered, in which fake recruiters disguise malware as cryptocurrency-related coding tasks. The activity, ongoing since May 2025, is modular, allowing threat actors to resume operations even if partially disrupted.

The campaign has been dubbed Graphalgo by researchers at ReversingLabs, who link it to North Korean threat actors, most likely the Lazarus Group.


How the Campaign Works

Threat actors create fake companies in the blockchain and crypto-trading sectors and post job listings on platforms such as LinkedIn, Facebook, and Reddit.

Developers applying for these positions are asked to run, debug, or improve coding projects as part of the recruitment process. However, this step is a trap:

  • Running the project automatically installs a malicious dependency from legitimate repositories like npm and PyPI.
  • The malicious packages then deliver a remote access trojan (RAT) to the developer’s system.
  • GitHub repositories appear clean, while malicious code is injected indirectly via dependencies hosted elsewhere.

Malicious Packages and Variants

ReversingLabs discovered 192 malicious packages linked to Graphalgo.

  • Early packages contained “graph” in their names to mimic legitimate libraries like graphlib.
  • Since December 2025, the actor shifted to packages containing “big” in the name.
  • Packages such as bigmathutils, with over 10,000 downloads, were benign initially but introduced malicious payloads in later versions, then deprecated to cover tracks.

The campaign includes multiple variants written in JavaScript, Python, and VBS, targeting a broad range of developers.


Capabilities of the RAT

Once installed, the RAT can:

  • List running processes
  • Execute arbitrary commands from a token-protected command-and-control (C2) server
  • Exfiltrate files and deploy additional payloads
  • Detect if the MetaMask cryptocurrency extension is installed, indicating a focus on money theft

The malware is designed to remain stealthy, with delayed activation and modular components—a hallmark of Lazarus Group operations. Git commit timestamps also suggest the GMT +9 time zone, consistent with North Korea.


Recommendations for Developers

Developers who may have installed these malicious packages should:

  • Rotate all account passwords and API tokens immediately
  • Reinstall their operating system to ensure complete removal of the malware
  • Exercise caution when running code from unfamiliar or unverified sources, even in recruitment or interview contexts

1 Comment

  • “This is a strong warning for developers: never run code from unverified sources, even for job interviews or coding challenges. Malicious packages can install RATs and steal sensitive data, including cryptocurrency information.”

Leave a Reply

Your email address will not be published. Required fields are marked *

Related Articles

NewsSecurity

Telegram’s t.me Domain Goes Offline Worldwide After Registry Imposes ServerHold

Telegram’s t.me Links Go Offline After Domain Registry Places Hold on Address...

NewsSecurity

Critical U-Boot Flaws Could Let Hackers Install Stealthy Firmware Malware

New U-Boot Bootloader Flaws Could Enable Stealthy Firmware-Level Attacks Security researchers have...

NewsSecurity

Exposed Hacker Server Reveals Massive Campaign Compromising 25,000 WordPress Websites

Exposed Server Reveals 25,000 Hacked WordPress Websites in Large Cybercrime Campaign A...

NewsSecurity

Hidden Tenda Router Backdoor Gives Hackers Full Administrator Access

Hidden Backdoor in Tenda Router Firmware Allows Attackers to Gain Admin Access...