Malware job scams are on the rise, with North Korean threat actors targeting JavaScript and Python developers with cryptocurrency-related coding challenges. This sophisticated campaign, active since at least May 2025, uses fake job postings to deliver remote access trojans (RATs) to unsuspecting developers.
The attackers create fake companies in the blockchain and crypto-trading sectors, publishing job offers on platforms like LinkedIn, Facebook, and Reddit. Applicants are asked to demonstrate their skills by running and debugging a provided project, which unknowingly installs a malicious dependency from a legitimate repository.
“It is easy to create such job task repositories. Threat actors simply need to take a legitimate bare-bone project and fix it up with a malicious dependency and it is ready to be served to targets,” researchers say.
North Korean Hackers Behind Elaborate Scheme
Researchers at ReversingLabs have dubbed the campaign ‘Graphalgo,’ uncovering 192 malicious packages related to it. To conceal their activities, the hackers host the malicious dependencies on legitimate platforms like npm and PyPi. One example is a package named ‘bigmathutils,’ which was benign until version 1.1.0 introduced malicious payloads. The package was subsequently deprecated, likely to hide the activity.
The Graphalgo campaign utilizes GitHub Organizations, shared accounts for collaboration, to host clean repositories. The malicious code is introduced indirectly through dependencies hosted on npm and PyPI. Victims who run the project as instructed during the fake interview unknowingly infect their systems with a RAT payload.
ReversingLabs researchers even contacted developers who fell victim to these malware job scams, gathering more details about the deceptive recruiting process.
The Remote Access Trojan (RAT) Payload
The installed RAT grants attackers the ability to list running processes, execute arbitrary commands, exfiltrate files, and deploy additional payloads. A particularly concerning feature is its ability to check for the MetaMask cryptocurrency extension, indicating a clear intent to steal cryptocurrency assets. The RAT’s communication with its command-and-control (C2) server is token-protected, a common tactic used by North Korean hackers.
Variants of the RAT have been found in JavaScript, Python, and VBS, suggesting a broad targeting strategy. Security experts attribute the Graphalgo campaign to the Lazarus group with medium-to-high confidence, citing the use of coding tests as an infection vector, cryptocurrency-focused targeting, and delayed activation of malicious code, all characteristics of previous Lazarus group activities. Furthermore, Git commits reveal a GMT +9 time zone, matching North Korea’s time zone.
Protecting Yourself from Malware Job Scams
Financial Standard urges all developers to exercise extreme caution when applying for jobs, especially in the cryptocurrency sector. Always thoroughly vet any code provided during the application process and be wary of unusual requests or dependencies. If you suspect you have been targeted by malware job scams, immediately rotate all tokens and account passwords and reinstall your operating system.
The threat of malware job scams is a serious concern for the financial sector, potentially leading to significant data breaches and financial losses. Stay vigilant and prioritize cybersecurity best practices to protect yourself and your organization.
This type of fraud underscores the importance of verifying the legitimacy of job offers and scrutinizing any code provided by potential employers. Developers should always be cautious about running code from unknown sources, especially when it involves cryptocurrency-related projects. The financial implications of falling victim to these scams can be devastating, highlighting the need for increased awareness and vigilance within the development community. related Fraudulents news
“Developers who installed the malicious packages at any point should rotate all tokens and account passwords and reinstall their OS.”
Source: BleepingComputer




