Lazarus Group graphalgo recruitment-themed package campaign
Campaign
Summary
Hide ▲
Show ▼
The North Korea-linked Lazarus Group is running graphalgo, an active fake recruitment-themed package campaign that is targeting developers through npm and PyPI. The operation matters because the malicious dependencies are used to install a remote access trojan and probe for MetaMask on infected systems. One package, bigmathutils, drew more than 10,000 downloads before the malicious version was released, broadening exposure.
Related Happenings
North Korean Contagious Interview PolinRider supply-chain campaign
Campaign
H score51
First: 04.07.2026 14:17
Last: 04.07.2026 14:17
Sources 1
About this happening:
The **Contagious Interview / PolinRider** campaign is still active, with **108 unique packages and browser extensions** published across **npm, Packagist, Go, and Google Chrome**....
North Korean Contagious Interview PolinRider supply-chain campaign
CampaignAbout this happening: The **Contagious Interview / PolinRider** campaign is still active, with **108 unique packages and browser extensions** published across **npm, Packagist, Go, and Google Chrome**....
PolinRider GitHub supply-chain campaign delivering BeaverTail and InvisibleFerret
Campaign
H score9
First: 23.06.2026 11:54
Last: 23.06.2026 11:54
Sources 1
About this happening:
A **North Korean** supply-chain campaign dubbed **PolinRider** is injecting obfuscated JavaScript into compromised **GitHub repositories**, exposing developers to staged malware d...
PolinRider GitHub supply-chain campaign delivering BeaverTail and InvisibleFerret
CampaignAbout this happening: A **North Korean** supply-chain campaign dubbed **PolinRider** is injecting obfuscated JavaScript into compromised **GitHub repositories**, exposing developers to staged malware d...
Easy-day-js Mastra package-publishing campaign
Campaign
H score30
First: 17.06.2026 10:38
Last: 17.06.2026 10:38
Sources 1
About this happening:
The **easy-day-js** campaign mass-published more than **140 malicious npm packages** across the **@mastra/*** namespace, creating broad supply-chain exposure for developers and bu...
Easy-day-js Mastra package-publishing campaign
CampaignAbout this happening: The **easy-day-js** campaign mass-published more than **140 malicious npm packages** across the **@mastra/*** namespace, creating broad supply-chain exposure for developers and bu...
North Korea-aligned developer-targeting operations shift from fake interviews to recruitment phishing at scale
Threat Actor Meta
H score31
First: 15.06.2026 22:32
Last: 15.06.2026 22:32
Sources 1
About this happening:
North Korea-aligned developer-targeting operations are shifting from **fake interviews** to **recruitment-themed phishing** at scale, increasing the risk of industrialized **crede...
North Korea-aligned developer-targeting operations shift from fake interviews to recruitment phishing at scale
Threat Actor MetaAbout this happening: North Korea-aligned developer-targeting operations are shifting from **fake interviews** to **recruitment-themed phishing** at scale, increasing the risk of industrialized **crede...
Contagious Interview UNK_DeadDrop GitHub phishing campaign
Campaign
H score37
First: 15.06.2026 22:32
Last: 15.06.2026 22:32
Sources 1
About this happening:
The **Contagious Interview** cluster is running the **UNK_DeadDrop** phishing campaign to lure developers with **recruitment** and **code review** themes, reaching **nearly 100 or...
Contagious Interview UNK_DeadDrop GitHub phishing campaign
CampaignAbout this happening: The **Contagious Interview** cluster is running the **UNK_DeadDrop** phishing campaign to lure developers with **recruitment** and **code review** themes, reaching **nearly 100 or...
Timeline
-
12.02.2026 18:55 2 articles · 4mo ago
North Korea-linked graphalgo recruitment campaign disclosed
Initial DisclosureResearchers disclosed a North Korea-linked Lazarus Group campaign targeting developers through fake blockchain and cryptocurrency job lures, where the graphalgo package cluster on npm and PyPI delivers a remote access trojan, was assessed active since May 2025, and checks infected systems for the MetaMask browser extension.
Show sources
- Lazarus Campaign Plants Malicious Packages in npm and PyPI Ecosystems — thehackernews.com — 12.02.2026 18:55
- Fake job recruiters hide malware in developer coding challenges — www.bleepingcomputer.com — 14.02.2026 00:35