Cybersecurity researchers have identified a sophisticated, multi-pronged attack campaign orchestrated by the North Korea-linked Lazarus Group, targeting developers through malicious packages on both the npm and Python Package Index (PyPI) repositories. This operation, codenamed “graphalgo” after its initial npm package, has been active since at least May 2025, leveraging fake recruitment schemes to ensnare unsuspecting programmers.
The Lazarus Group is employing social engineering tactics, reaching out to developers via platforms like LinkedIn, Facebook, and forums such as Reddit. The attackers build a facade of legitimacy by creating fake companies, often in the blockchain and cryptocurrency exchange sector, to lure potential victims into downloading malicious code disguised as coding assessment projects or necessary development dependencies. This campaign highlights the persistent threat of state-sponsored actors targeting open-source ecosystems.
Lazarus Group’s Graphalgo Campaign Targets Developers
The “graphalgo” campaign involves setting up elaborate digital real estate for fabricated companies, such as the cryptocurrency trading entity Veltrix Capital. This includes registering domains and establishing GitHub organizations to host ostensibly legitimate repositories for coding assessments. These repositories, built with Python and JavaScript, do not initially exhibit malicious behavior themselves.
Instead, the malicious functionality is introduced indirectly through compromised dependencies hosted on public package repositories like npm and PyPI. Developers applying for jobs advertised on platforms like Reddit and Facebook are tricked into running these projects on their machines. This process effectively installs the malicious dependency, triggering an infection that allows attackers to gain unauthorized access.
One notable example within the npm repository, the “bigmathutils” package, saw over 10,000 downloads after its initial, non-malicious version was published, before a subsequent version containing a malicious payload was released. The attackers’ strategy relies on exploiting the trust developers place in open-source libraries and the urgency of job recruitment processes.
The ultimate goal of these compromised packages is to deploy a remote access trojan (RAT). This RAT is designed to communicate with an external command-and-control (C2) server, periodically fetching and executing further commands. The RAT possesses a range of capabilities, including gathering system information, enumerating files and directories, listing running processes, and manipulating files through creation, renaming, deletion, upload, and download operations.
A particularly interesting aspect of the Lazarus Group’s operation is the implementation of a token-based mechanism to secure C2 communication. This method ensures that only requests originating from registered, infected systems with a valid token are accepted. This sophisticated approach was previously observed in 2023 campaigns attributed to a North Korean hacking group known as Jade Sleet, also recognized as TraderTraitor or UNC4899.
The token-based mechanism functions by having the infected packages send system data as an initial registration step to the C2 server. The server then responds with a unique token. This token is subsequently included in all further communication requests, serving as an authentication key to confirm the origin of the requests. This similarity in C2 communication methods suggests a potential overlap in operational techniques between different North Korean state-sponsored threat actors.
The findings underscore North Korean state-sponsored threat actors’ continued efforts to poison open-source ecosystems with malicious packages. Their objective appears to be the theft of sensitive data and financial gain, as evidenced by the RAT’s checks for the presence of the MetaMask browser extension, a common tool for cryptocurrency management.
ReversingLabs researchers describe the campaign as “highly sophisticated,” pointing to its modularity, long-term persistence, patience in building trust, and the complexity of the encrypted malware. These characteristics are indicative of a state-sponsored threat actor with significant resources and technical expertise.
Emergence of Other Malicious npm Package Campaigns
The revelations about the “graphalgo” campaign coincide with the discovery of other malicious activities within the npm ecosystem. Security firm JFrog recently uncovered a package named “duer-js,” published by a user identified as “luizaearlyx.” While advertised as a utility to enhance console visibility, this package contains a Windows information stealer known as Bada Stealer.
Bada Stealer is capable of extracting sensitive data including Discord tokens, passwords, browser cookies, autofill data from popular browsers such as Chrome, Edge, Brave, Opera, and Yandex, cryptocurrency wallet details, and general system information. This stolen data is then exfiltrated to both a Discord webhook and the Gofile file storage service as a backup measure.
Furthermore, the malicious “duer-js” package downloads a secondary payload. This payload is designed to run automatically when the Discord desktop application starts, featuring self-updating capabilities and a focus on directly stealing payment methods used by the victim. This demonstrates a multi-stage attack designed for maximum impact.
Additionally, another malware campaign has weaponized npm to extort cryptocurrency payments from developers during package installation. This campaign, first observed on February 4, 2026, has been dubbed “XPACK ATTACK” by OpenSourceMalware. It involves packages uploaded by a user named “dev.chandra_bose.”
The XPACK ATTACK campaign innovatively abuses the HTTP 402 “Payment Required” status code. Instead of directly stealing credentials or executing reverse shells, it presents a seemingly legitimate payment wall, blocking installation until a victim pays 0.1 USDC or ETH to the attacker’s wallet. The attackers also collect GitHub usernames and device fingerprints during this process.
Developers who refuse to pay are met with installation failures that can waste significant development time, potentially leaving them unaware that they have encountered malware rather than a genuine paywall for package access. This sophisticated social engineering element adds another layer of deception to the attack.
The continued emergence of these sophisticated campaigns targeting open-source developers highlights the evolving threat landscape. Ongoing vigilance and prompt patching of known vulnerabilities in development pipelines are crucial. Developers and security professionals will be closely watching for further developments from Lazarus Group and other threat actors as they continue to probe and exploit open-source software supply chains for malicious purposes.