Lazarus Campaign Targets npm and PyPI Ecosystems with Malicious Packages

Key Findings

Cybersecurity researchers have discovered a fresh set of malicious packages across npm and the Python Package Index (PyPI) repository linked to a fake recruitment-themed campaign orchestrated by the North Korea-linked Lazarus Group.
The coordinated campaign has been codenamed "graphalgo" in reference to the first package published in the npm registry, and it's assessed to be active since May 2025.
The campaign includes a well-orchestrated story around a company involved in blockchain and cryptocurrency exchanges, and victims are approached via social platforms or job offerings on forums.
The malicious packages ultimately act as a conduit to deploy a remote access trojan (RAT) that can gather system information, enumerate files and directories, list running processes, and perform various other malicious activities.

As with many job-focused campaigns conducted by North Korean threat actors, the attack chain begins with establishing a fake company like Veltrix Capital in the blockchain and cryptocurrency trading space, and then setting up the necessary digital real estate to create an illusion of legitimacy.
This includes registering a domain and creating a related GitHub organization to host several repositories for use in coding assessments, which contain projects based on Python and JavaScript.
The idea behind setting up these repositories is to trick candidates who apply to its job listings on Reddit and Facebook Groups into running the projects on their machines, effectively installing the malicious dependency and triggering the infection.

The names of the identified malicious packages are:
npm: graphalgo, graphorithm, graphstruct, graphlibcore, netstruct, graphnetworkx, terminalcolor256, graphkitx, graphchain, graphflux, graphorbit, graphnet, graphhub, terminal-kleur, graphrix, bignumx, bignumberx, bignumex, bigmathex, bigmathlib, bigmathutils, graphlink, bigmathix, graphflowx
PyPI: graphalgo, graphex, graphlibx, graphdict, graphflux, graphnode, graphsync, bigpyx, bignum, bigmathex, bigmathix, bigmathutils
One of the identified npm packages, "bigmathutils," attracted more than 10,000 downloads after the first, non-malicious version was published, and before the second version containing a malicious payload was released.

The malicious packages ultimately act as a conduit to deploy a remote access trojan (RAT) that periodically fetches and executes commands from an external server.
The RAT supports various commands to gather system information, enumerate files and directories, list running processes, create folders, rename files, delete files, and upload/download files.
The command-and-control (C2) communication is protected by a token-based mechanism to ensure that only requests with a valid token are accepted, a technique previously observed in 2023 campaigns linked to the North Korean hacking group Jade Sleet.
The RAT also checks if the MetaMask browser extension is installed on the machine, suggesting that the threat actors are interested in stealing sensitive data and conducting financial theft.

The findings show that North Korean state-sponsored threat actors continue to poison open-source ecosystems with malicious packages in hopes of stealing sensitive data and conducting financial theft.
The campaign's modularity, long-lived nature, patience in building trust across different campaign elements, and the complexity of the multilayered and encrypted malware point to the work of a sophisticated, state-sponsored threat actor.

https://thehackernews.com/2026/02/lazarus-campaign-plants-malicious.html
https://www.reddit.com/r/InfoSecNews/comments/1r3547q/lazarus_campaign_plants_malicious_packages_in_npm/
https://x.com/TheCyberSecHub/status/2022008632465096713
https://x.com/shah_sheikh/status/2022008627754938469