Fake Crypto Recruiters Infect Developers with RAT-Laced Coding Challenges in Lazarus-Linked Campaign
scsecFebruary 22, 20262 Mins read 
A new wave of fake recruiter campaigns attributed to North Korean threat actors is targeting JavaScript and Python developers with cryptocurrency-themed coding challenges that secretly deliver malware.
Researchers at ReversingLabs have dubbed the campaign “Graphalgo.” Active since at least May 2025, the operation is highly modular, allowing attackers to quickly rebuild and relaunch parts of the infrastructure if exposed.
The attackers pose as blockchain and crypto-trading companies, publishing job listings on platforms such as LinkedIn, Facebook, and Reddit. Applicants are asked to complete technical assessments that involve running, debugging, or enhancing a provided project. The real objective, however, is to trick developers into executing code that installs malicious dependencies.
The campaign relies on 192 malicious packages published to the npm and PyPI repositories. These packages act as downloaders for a remote access trojan (RAT). The malicious code is not directly embedded in the GitHub repositories provided to candidates. Instead, the repositories appear clean, while the harmful components are introduced indirectly through dependencies hosted on npm and PyPI.
In one documented case, a package called “bigmathutils” accumulated around 10,000 downloads as a benign library before version 1.1.0 introduced malicious functionality. Shortly afterward, the package was deprecated and removed, likely in an attempt to conceal the activity.
The name “Graphalgo” comes from early malicious packages containing “graph” in their names, designed to impersonate legitimate libraries such as graphlib. Starting in December 2025, researchers observed a shift toward package names containing “big,” although the associated recruitment front for those packages has not yet been identified.
The threat actors use GitHub Organizations accounts to manage projects collaboratively, giving the campaign a professional appearance. Victims who follow the instructions and run the provided code unknowingly install the malicious packages, which then deploy the RAT on their systems.
The RAT allows attackers to list running processes, execute arbitrary commands received from a command-and-control server, exfiltrate files, and drop additional payloads. It also checks for the presence of the MetaMask cryptocurrency browser extension, signaling a focus on stealing digital assets.
To protect its communications, the RAT uses token-based authentication for its command-and-control traffic, preventing unauthorized monitoring—an approach commonly associated with North Korean cyber operations.
ReversingLabs identified multiple variants of the malware written in JavaScript, Python, and VBScript, indicating an effort to broaden compatibility and maximize infection potential.
The researchers attribute the Graphalgo campaign to the Lazarus Group with medium-to-high confidence. The assessment is based on the use of fake job offers and coding tests as infection vectors, the cryptocurrency-focused targeting, delayed activation of malicious code, and Git commit timestamps aligning with the GMT+9 time zone, consistent with North Korea.
ReversingLabs has published indicators of compromise and recommends that developers who installed any of the identified packages immediately rotate all authentication tokens and account passwords, and consider reinstalling their operating systems to ensure complete remediation.
The campaign highlights the growing threat of supply chain attacks in developer ecosystems, where trust in public repositories and coding challenges can be weaponized for sophisticated cyber espionage and financial theft.
1 Comment
Leave a Reply
Related Articles
First-Ever Crypto Wallet Stealer Discovered on the Apple App Store, 242,000+ Downloads on Google Play Store
Crypto-Stealing Apps Discovered on Apple App Store for the First Time Security...
“Crypto mixer Shutdown: How Law Enforcement Hit Back at Crypto Money Laundering”
Authorities from Switzerland and Germany, with support from Europol and Eurojust, have...
Samourai Wallet Founders Sentenced for Laundering $237 Million
The co-founders of the Samourai Wallet cryptocurrency-mixer service have been sentenced to...
China Accuses U.S. of Taking $13 Billion in Bitcoin
China is accusing the United States of taking 127,000 Bitcoin, worth about...
This campaign shows how sophisticated threat actors are exploiting developers’ trust in coding challenges and public repositories. By disguising malware within seemingly legitimate npm and PyPI packages, attackers can compromise systems and steal cryptocurrency or sensitive data. Developers should always verify dependencies, avoid running untrusted code, and maintain strong security hygiene to prevent falling victim to such supply chain attacks.