Lazarus Group graphalgo recruitment-themed package campaign
Campaign
Summary
Hide ▲
Show ▼
The North Korea-linked Lazarus Group is running graphalgo, an active fake recruitment-themed package campaign that is targeting developers through npm and PyPI. The operation matters because the malicious dependencies are used to install a remote access trojan and probe for MetaMask on infected systems. One package, bigmathutils, drew more than 10,000 downloads before the malicious version was released, broadening exposure.
Related Happenings
Malware-Slop malicious npm file-theft campaign
Campaign
First: 27.05.2026 18:44
Last: 27.05.2026 18:44
Sources 1
About this happening:
The **Malware-Slop** campaign is distributing a malicious **npm** package that steals local files from installers, creating an unauthorized data-transfer risk for users of **Anthr...
Malware-Slop malicious npm file-theft campaign
CampaignAbout this happening: The **Malware-Slop** campaign is distributing a malicious **npm** package that steals local files from installers, creating an unauthorized data-transfer risk for users of **Anthr...
Mouse5212-super-formatter postinstall GitHub exfiltration package
Malware Activity
First: 27.05.2026 18:44
Last: 27.05.2026 18:44
Sources 1
About this happening:
The **mouse5212-super-formatter** npm package is a **malicious infostealer** that can siphon files from **/mnt/user-data**, putting **Anthropic Claude** user data at risk of unaut...
Mouse5212-super-formatter postinstall GitHub exfiltration package
Malware ActivityAbout this happening: The **mouse5212-super-formatter** npm package is a **malicious infostealer** that can siphon files from **/mnt/user-data**, putting **Anthropic Claude** user data at risk of unaut...
GlassWorm supply-chain malware activity
Malware Activity
First: 27.05.2026 14:48
Last: 27.05.2026 14:48
Sources 1
About this happening:
The **GlassWorm** malware activity is now under a coordinated **C2 disruption**, reducing its ability to deliver new instructions and payloads to infected developer systems. The o...
GlassWorm supply-chain malware activity
Malware ActivityAbout this happening: The **GlassWorm** malware activity is now under a coordinated **C2 disruption**, reducing its ability to deliver new instructions and payloads to infected developer systems. The o...
Shai-Hulud worm clone activity on NPM
Malware Activity
First: 18.05.2026 12:45
Last: 18.05.2026 12:45
Sources 1
About this happening:
The **Shai-Hulud** malware activity has continued to evolve across the **npm supply chain** and related developer ecosystems. It first infected **npm packages** in **September 202...
Shai-Hulud worm clone activity on NPM
Malware ActivityAbout this happening: The **Shai-Hulud** malware activity has continued to evolve across the **npm supply chain** and related developer ecosystems. It first infected **npm packages** in **September 202...
Deadcode09284814 malicious npm packages delivering Phantom Bot and infostealers
Malware Activity
First: 18.05.2026 11:57
Last: 18.05.2026 11:57
Sources 1
About this happening:
Four **npm** packages published by **deadcode09284814** were found delivering **information-stealing malware** and **Phantom Bot** DDoS capability, putting installers at risk of *...
Deadcode09284814 malicious npm packages delivering Phantom Bot and infostealers
Malware ActivityAbout this happening: Four **npm** packages published by **deadcode09284814** were found delivering **information-stealing malware** and **Phantom Bot** DDoS capability, putting installers at risk of *...
Timeline
-
12.02.2026 18:55 2 articles · 3mo ago
North Korea-linked graphalgo recruitment campaign disclosed
Initial DisclosureResearchers disclosed a North Korea-linked Lazarus Group campaign targeting developers through fake blockchain and cryptocurrency job lures, where the graphalgo package cluster on npm and PyPI delivers a remote access trojan, was assessed active since May 2025, and checks infected systems for the MetaMask browser extension.
Show sources
- Lazarus Campaign Plants Malicious Packages in npm and PyPI Ecosystems — thehackernews.com — 12.02.2026 18:55
- Fake job recruiters hide malware in developer coding challenges — www.bleepingcomputer.com — 14.02.2026 00:35