North Korean Hackers Target Developers in Elaborate Supply Chain Attacks
A sophisticated, ongoing campaign orchestrated by North Korean threat actors is targeting JavaScript and Python developers through malicious npm and PyPi packages. Dubbed ‘Graphalgo’ by researchers at ReversingLabs, this operation leverages fake job postings and coding challenges to deliver remote access trojans (RATs) to unsuspecting victims.
The “Contagious Interview” Tactic: How It Works
The attack unfolds through a social engineering scheme. Threat actors create fictitious companies in the blockchain and cryptocurrency sectors and advertise job openings on platforms like LinkedIn, Facebook, and Reddit. Applicants are asked to demonstrate their skills by running and debugging a project, unknowingly executing malicious code embedded within the dependencies.
Researchers found that the attackers easily create these malicious repositories by taking legitimate, minimal projects and adding a malicious dependency. This dependency, hosted on legitimate platforms like npm and PyPi, initiates the infection process.
Source: ReversingLabs
From ‘Graph’ to ‘Big’: Evolving Package Names
Initially, the malicious packages used names containing “graph,” often mimicking popular libraries like graphlib. Though, since December 2025, the attackers have shifted to packages with “big” in their names. The researchers haven’t yet identified the recruiting frontend associated with these newer packages.
source: ReversingLabs
Modularity and Persistence: Key Characteristics of the Campaign
This campaign is characterized by its modularity, allowing the threat actors to quickly resume operations even if parts of the infrastructure are compromised. The use of GitHub Organizations, with clean repositories and malicious code introduced through dependencies, further complicates detection. One example highlighted by ReversingLabs involved a package named ‘bigmathutils’ which became malicious in version 1.1.0 before being deprecated, likely to cover tracks.
RAT Payload and Cryptocurrency Focus
Once executed, the malicious packages install a RAT payload capable of listing running processes, executing arbitrary commands, and exfiltrating files. Crucially, the RAT specifically checks for the presence of the MetaMask cryptocurrency extension, indicating a clear focus on stealing cryptocurrency assets.
Source: ReversingLabs
The RAT’s communication with its command-and-control (C2) server is token-protected, a common tactic employed by North Korean hackers to prevent unauthorized access.
Attribution to the Lazarus Group
ReversingLabs attributes the Graphalgo campaign to the Lazarus Group with medium-to-high confidence. This assessment is based on the campaign’s tactics, techniques, and procedures (TTPs), including the use of coding tests as an infection vector, the targeting of cryptocurrency-related individuals, and the delayed activation of malicious code – all consistent with previous Lazarus Group activity. Git commit timestamps also align with the GMT +9 time zone, corresponding to North Korea.
Technical Details: Python and JavaScript Variants
The threat actors are employing multiple variants of the RAT written in JavaScript, Python, and VBScript, demonstrating an intent to target a broad range of systems and users. The initial JavaScript file, Frontend.zip, downloads and executes subsequent Python scripts, including a browser stealing module.
What Developers Should Do
Developers who believe they may have installed malicious packages related to this campaign should immediately rotate all tokens and account passwords and consider reinstalling their operating systems. A comprehensive list of indicators of compromise (IoCs) is available in the original ReversingLabs report.
FAQ
Q: What is a RAT?
A: RAT stands for Remote Access Trojan. It’s a type of malware that allows attackers to remotely control an infected computer.
Q: How can I protect myself from these attacks?
A: Be cautious of unsolicited job offers, especially those requiring you to run unfamiliar code. Verify the legitimacy of companies and projects before contributing.
Q: What is the Lazarus Group?
A: The Lazarus Group is a North Korean state-sponsored hacking group known for its sophisticated cyberattacks.
Q: Are npm and PyPi secure?
A: While npm and PyPi are legitimate platforms, they are vulnerable to malicious actors who can upload compromised packages. Always exercise caution when installing dependencies.
