https://www.reversinglabs.com/blog/fake-recruiter-campaign-crypto-devs
Cybersecurity researchers have uncovered a campaign by North Korean threat actors who are using fake job recruitment schemes to infect software developers with malware. The operation, dubbed “Graphalgo” by ReversingLabs researchers, has been active since at least May 2025 and specifically targets JavaScript and Python developers through fraudulent coding assessments in the cryptocurrency and blockchain sectors. Investigators have identified 192 malicious packages connected to this campaign distributed through the npm and PyPi software repositories.
The attack methodology involves threat actors establishing fictitious companies in the crypto-trading industry and posting job openings across popular platforms including LinkedIn, Facebook, and Reddit. Applicants are asked to demonstrate their technical abilities by running, debugging, and enhancing provided code projects that appear legitimate but contain hidden malicious dependencies. When developers execute the code as instructed during the interview process, their systems automatically download and install a remote access trojan from authentic-looking packages hosted on legitimate platforms. One particularly concerning example involved a package called “bigmathutils” that appeared benign through its first versions before introducing malicious payloads at version 1.1.0, accumulating 10,000 downloads before the attackers removed it to cover their tracks.
ReversingLabs attributes the Graphalgo campaign to the notorious Lazarus group with medium-to-high confidence based on several indicators, including the operational approach, cryptocurrency-focused targeting, and technical fingerprints matching previous North Korean cyber operations. The deployed malware functions as a comprehensive surveillance tool capable of listing system processes, executing remote commands from command-and-control servers, and exfiltrating files or deploying additional payloads. Notably, the trojan specifically checks for the MetaMask cryptocurrency wallet extension, revealing its financial theft objectives. Researchers advise any developers who may have installed these malicious packages to immediately rotate all authentication credentials, change account passwords, and perform a complete operating system reinstallation.