Cybersecurity researchers have uncovered a new wave of malicious packages in the npm and Python Package Index (PyPI) ecosystems linked to the North Korea-backed Lazarus Group. The campaign, dubbed graphalgo, has been active since May 2025 and leverages fake recruitment efforts to compromise developer systems.
Campaign Overview
Attackers create a convincing narrative around a fictitious company operating in blockchain and cryptocurrency, approaching potential targets via LinkedIn, Facebook, and job postings on Reddit. Researchers from ReversingLabs noted that repositories created to host coding assessments appear legitimate and do not directly contain malicious code.
Instead, the threat relies on dependencies in npm and PyPI packages, tricking developers into installing the malicious packages while completing recruitment exercises. Once executed, these packages deploy a remote access trojan (RAT) capable of system reconnaissance, file manipulation, process enumeration, and remote command execution.
List of Malicious Packages
npm Packages:
- graphalgo
- graphorithm
- graphstruct
- graphlibcore
- netstruct
- graphnetworkx
- terminalcolor256
- graphkitx
- graphchain
- graphflux
- graphorbit
- graphnet
- graphhub
- terminal-kleur
- graphrix
- bignumx
- bignumberx
- bignumex
- bigmathex
- bigmathlib
- bigmathutils
- graphlink
- bigmathix
- graphflowx
PyPI Packages:
- graphalgo
- graphex
- graphlibx
- graphdict
- graphflux
- graphnode
- graphsync
- bigpyx
- bignum
- bigmathex
- bigmathix
- bigmathutils
Technical Details of the Attack
The RAT deployed by these packages communicates with a command-and-control (C2) server using a token-based authentication mechanism. Systems first register with the C2 server to receive a token, which must be included in all subsequent communications. This ensures that only infected machines can receive commands.
In some cases, the malware specifically checks for cryptocurrency wallets like MetaMask, highlighting the attackers’ financial espionage objectives. Researchers noted that the modular and encrypted nature of the malware, combined with the campaign’s long-term patience and layered approach, indicate a state-sponsored actor.
Additional Malicious npm Campaigns
In parallel, JFrog researchers identified duer-js, a seemingly harmless utility library that actually acts as an information stealer (Bada Stealer). It can extract browser cookies, Discord tokens, passwords, crypto wallet details, and system information, sending it to a Discord webhook and Gofile for backup. The package also deploys a secondary payload to capture data directly from the Discord Desktop app.
Another campaign, XPACK ATTACK, abuses npm packages to extort cryptocurrency during installation. Uploaded by the user dev.chandra_bose, the packages (xpack-per-user, xpack-per-device, xpack-sui, xpack-subscription, xpack-arc-gateway, xpack-video-submission, test-npm-style, xpack-subscription-test, testing-package-xdsfdsfsc) block installation with a fake payment wall using HTTP 402 Payment Required. Victims must pay a small amount of USDC or ETH to proceed, while attackers collect GitHub usernames and device fingerprints.
Found this article interesting? Follow us on X (Twitter) , Facebook, Blue sky and LinkedIn to read more exclusive content we post.
