A sophisticated campaign attributed to North Korean hackers is targeting JavaScript and Python developers through fake job interviews involving cryptocurrency-related coding challenges. The operation, active since May 2025 and dubbed "Graphalgo," relies on nearly 200 malicious packages published to the npm and PyPi registries that function as downloaders for remote access trojans. Threat actors create fictitious blockchain companies and post legitimate-looking job openings on professional platforms like LinkedIn and Reddit.
Applicants who progress in the hiring process receive coding tasks requiring them to run, debug, or enhance provided projects. These projects contain hidden malicious dependencies hosted on legitimate repositories, which execute upon installation and compromise the developer's system. The attackers have demonstrated modularity by shifting package naming conventions over time, initially using "graph" -related names before transitioning to "big" -prefixed packages in late 2025.
Once installed, the malware establishes communication with command-and-control servers using token-protected channels to prevent unauthorized observation. The remote access trojan can enumerate running processes, execute arbitrary commands, exfiltrate files, and deploy additional payloads. It specifically checks for the presence of the MetaMask cryptocurrency browser extension, confirming the financial motivation behind the operation.
Researchers at ReversingLabs identified several developers who had fallen victim to this scheme and documented the infection chain. Multiple malware variants exist across JavaScript, Python, and VBScript, suggesting the attackers aim to compromise developers regardless of their primary programming language. The campaign bears strong hallmarks of the Lazarus Group, including the use of coding tests as infection vectors, delayed code activation, cryptocurrency focus, and Git commits originating from the GMT+9 time zone consistent with North Korea.
Read more...