Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

Graphalgo malicious npm and PyPI RAT downloader packages

Malware Activity
First reported
Last updated
Happening score
H score 34
2 unique sources, 2 articles

Summary

Hide ▲

Graphalgo is a continuing malware-delivery operation that uses fake companies, fake job interviews, and coding tests to lure JavaScript and Python developers into downloading GitHub-hosted assessment projects carrying malicious npm or PyPI dependencies. The packages are designed to install a remote access trojan (RAT) and other malware on developer systems, creating risk of credential theft, wallet compromise, and file exfiltration. The operation has been active since at least May 2025 and has already produced 192 malicious packages.

Related Happenings

Malware-Slop malicious npm file-theft campaign

Campaign
First: 27.05.2026 18:44 Last: 27.05.2026 18:44 Sources 1

About this happening: The **Malware-Slop** campaign is distributing a malicious **npm** package that steals local files from installers, creating an unauthorized data-transfer risk for users of **Anthr...

Open Happening

Mouse5212-super-formatter postinstall GitHub exfiltration package

Malware Activity
First: 27.05.2026 18:44 Last: 27.05.2026 18:44 Sources 1

About this happening: The **mouse5212-super-formatter** npm package is a **malicious infostealer** that can siphon files from **/mnt/user-data**, putting **Anthropic Claude** user data at risk of unaut...

Open Happening

GlassWorm supply-chain malware activity

Malware Activity
First: 27.05.2026 14:48 Last: 27.05.2026 14:48 Sources 1

About this happening: The **GlassWorm** malware activity is now under a coordinated **C2 disruption**, reducing its ability to deliver new instructions and payloads to infected developer systems. The o...

Open Happening

TrapDoor trap-core.js credential-stealing package malware

Malware Activity
First: 25.05.2026 08:59 Last: 25.05.2026 08:59 Sources 1

About this happening: The **TrapDoor** package malware is spreading across **npm, PyPI, and Crates.io**, putting **developer secrets, cloud credentials, SSH keys, and crypto wallets** at risk. The malw...

Open Happening

Laravel-Lang PHP package supply-chain credential-stealing campaign

Campaign
First: 23.05.2026 12:51 Last: 23.05.2026 12:51 Sources 1

About this happening: A **software supply-chain campaign** hit **multiple Laravel-Lang PHP packages**, putting consumers at risk of **credential theft** through tampered release tags. Malicious version...

Open Happening

Timeline

  1. 29.04.2026 17:43 1 articles · 28d ago

    Graphalgo uses fake companies and interview tasks

    Campaign Scope Update

    North Korean graphalgo operators use fake companies, fake job interviews, and coding tests on job-seeking platforms and social networks to lure developers into downloading GitHub-hosted assessment projects that carry malicious npm or PyPI dependencies and ultimately install a RAT. One front company, Blocmerce, registered an LLC in Florida in August 2025, and related GitHub organizations have been active since June 2025.

    Show sources
    Open in new tab
  2. 14.02.2026 00:35 2 articles · 3mo ago

    Graphalgo campaign disclosed

    Initial Disclosure

    ReversingLabs disclosed a North Korean fake-recruiter campaign called Graphalgo that targets JavaScript and Python developers with cryptocurrency-related coding tasks and malicious npm and PyPI dependencies. The activity had been ongoing since at least May 2025, expanded to 192 malicious packages, and was assessed as Lazarus with medium-to-high confidence.

    Show sources
    Open in new tab