Researchers identified malicious npm and PyPI packages linked to a fake recruitment campaign run by the North Korean Lazarus Group. This operation, active since May 2025, uses deceptive job interview tasks to trick developers into installing compromised code on their systems.
The Lazarus Group has launched a new branch of its fake recruiter campaign, recently uncovered by researchers and dubbed graphalgo. This campaign targets software developers by masquerading as a legitimate blockchain company seeking new talent. The attackers have been active since early 2025, leveraging popular programming platforms to distribute their malware. By using deceptive hiring themes, they successfully manipulate developers into downloading infected packages as part of a supposed technical assessment.
To establish credibility, the hackers created a fictitious blockchain firm known as Veltrix Capital. They built convincing websites and GitHub organizations to house their projects, though these entities lack verifiable leadership or history. When one persona or domain begins to face scrutiny from the security community, the group quickly pivots, using AI-generated content and new domains to rebuild their fraudulent infrastructure and maintain their cover.
The primary method of infection involves high-pressure job interview tasks. The attackers publish repositories on GitHub that appear to be standard coding challenges for prospective employees. While the interview code itself may look harmless, it is configured to pull in malicious dependencies from the npm or PyPI registries. When a developer runs the project to complete the task, the hidden malicious code executes, giving the attackers a foothold in the victim's environment.
Lazarus Group operatives actively scout for victims across major social media platforms including LinkedIn, Reddit, and Facebook. They often pose as recruiters or technical leads, reaching out directly to developers with lucrative job opportunities. To enhance the illusion of legitimacy, some of these recruiter profiles appear highly professional, though they typically stop responding if a candidate asks too many specific questions about the company’s background.
The scale of this supply chain attack is significant, as evidenced by one specific npm package called bigmathutils. This package managed to accumulate over 10,000 downloads by appearing as a legitimate utility before the attackers pushed a malicious update to its users. By hiding their code across multiple public platforms like GitHub and npm, the Lazarus Group continues to demonstrate a sophisticated ability to exploit the trust inherent in the open-source software ecosystem.
Source: Malicious npm and PyPI Packages Linked to Lazarus APT Fake Recruiter Campaign