Malware job scams are on the rise, with sophisticated North Korean threat actors now targeting JavaScript and Python developers with cryptocurrency-related coding challenges. This fraudulent activity, ongoing since at least May 2025, is characterized by its modularity, allowing the attackers to quickly resume operations even after partial compromise.
These bad actors are leveraging malicious packages published on the npm and PyPi registries, using them as downloaders for a remote access trojan (RAT). ReversingLabs researchers identified a staggering 192 malicious packages linked to this campaign, which they’ve dubbed ‘Graphalgo’.
The scammers create fake companies purportedly in the blockchain and crypto-trading sectors, posting enticing job offers on platforms like LinkedIn, Facebook, and Reddit. Applying developers are then asked to demonstrate their skills by running, debugging, and improving a supplied project. The sinister catch? Running the code triggers the installation and execution of a malicious dependency from a seemingly legitimate repository.
“It is easy to create such job task repositories. Threat actors simply need to take a legitimate bare-bone project and fix it up with a malicious dependency and it is ready to be served to targets,”
To further conceal their malicious intent, the hackers host these dependencies on well-regarded platforms like npm and PyPi.
The Graphalgo Campaign Unveiled
One notable case highlighted by ReversingLabs involved a package named ‘bigmathutils,’ boasting 10,000 downloads. Initially benign, version 1.1.0 introduced malicious payloads. Shortly after, the threat actor removed the package, marking it as deprecated, likely to cover their tracks.
The campaign’s name, Graphalgo, originates from packages containing “graph” in their name, often impersonating legitimate libraries like _graphlib_. Since December 2025, the attackers have shifted to using packages with “big” in their name, although the recruiting front-end associated with these remains undiscovered.
ReversingLabs reports that the actors utilize Github Organizations, shared accounts that facilitate collaboration across multiple projects. While the GitHub repositories themselves appear clean, the malicious code is introduced indirectly through dependencies hosted on npm and PyPI, specifically the Graphalgo packages. Victims who run the project as instructed unwittingly infect their systems.
It’s crucial to note that ReversingLabs researchers contacted several developers who had fallen victim to this scheme to gather more details about the recruiting process. This highlights the effectiveness of these malware job scams.
Remote Access Trojan (RAT) Capabilities
The RAT deployed by these malware job scams can list running processes, execute arbitrary commands from the command-and-control (C2) server, exfiltrate files, and even drop additional malicious payloads. The RAT also actively checks for the presence of the MetaMask cryptocurrency extension in the victim’s browser, clearly indicating its financial motives.
The C2 communication is token-protected to prevent unauthorized access, a common tactic employed by North Korean hackers. ReversingLabs has discovered multiple variants of the RAT written in JavaScript, Python, and VBS, demonstrating the attackers’ intention to target a broad range of potential victims. related Fraudulents news
Attribution to the Lazarus Group
ReversingLabs attributes the Graphalgo campaign to the Lazarus group with medium-to-high confidence. This assessment is based on the attack methods, the use of coding tests as an infection vector, and the cryptocurrency-focused targeting, all consistent with previous Lazarus group activities. The delayed activation of malicious code within the packages also aligns with Lazarus’s patient approach in other attacks. Furthermore, Git commits reveal a GMT +9 time zone, matching North Korea’s time zone.
Developers who may have installed these malicious packages should immediately rotate all tokens and account passwords and consider reinstalling their operating systems.
Complete indicators of compromise (IoCs) are available in the original report.
Protecting yourself from these malware job scams requires vigilance. Always scrutinize the source of code you are asked to run, especially if it comes from an unfamiliar source. Verify the legitimacy of job postings and the companies behind them. Keep your systems and software up-to-date to mitigate vulnerabilities that malware can exploit.
Source: BleepingComputer




