Graphalgo malicious npm and PyPI RAT downloader packages
Malware Activity
Summary
Hide ▲
Show ▼
Graphalgo is a continuing malware-delivery operation that uses fake companies, fake job interviews, and coding tests to lure JavaScript and Python developers into downloading GitHub-hosted assessment projects carrying malicious npm or PyPI dependencies. The packages are designed to install a remote access trojan (RAT) and other malware on developer systems, creating risk of credential theft, wallet compromise, and file exfiltration. The operation has been active since at least May 2025 and has already produced 192 malicious packages.
Related Happenings
North Korean Contagious Interview PolinRider supply-chain campaign
Campaign
H score51
First: 04.07.2026 14:17
Last: 04.07.2026 14:17
Sources 1
About this happening:
The **Contagious Interview / PolinRider** campaign is still active, with **108 unique packages and browser extensions** published across **npm, Packagist, Go, and Google Chrome**....
North Korean Contagious Interview PolinRider supply-chain campaign
CampaignAbout this happening: The **Contagious Interview / PolinRider** campaign is still active, with **108 unique packages and browser extensions** published across **npm, Packagist, Go, and Google Chrome**....
Rollup polyfill npm package malware activity for remote access and data theft
Malware Activity
H score16
First: 03.07.2026 19:07
Last: 03.07.2026 19:07
Sources 1
About this happening:
**Malicious npm packages** disguised as **Rollup polyfill tooling** are now delivering **remote-access and data-theft payloads** to developer workstations and build machines. The...
Rollup polyfill npm package malware activity for remote access and data theft
Malware ActivityAbout this happening: **Malicious npm packages** disguised as **Rollup polyfill tooling** are now delivering **remote-access and data-theft payloads** to developer workstations and build machines. The...
Operation Navy Ghost PyPI supply-chain campaign
Campaign
H score26
First: 01.07.2026 00:02
Last: 01.07.2026 00:02
Sources 1
About this happening:
The **Operation Navy Ghost** campaign has targeted **Python developers** building **Telegram bots** through trojanized **Pyrogram forks**, creating a supply-chain path to compromi...
Operation Navy Ghost PyPI supply-chain campaign
CampaignAbout this happening: The **Operation Navy Ghost** campaign has targeted **Python developers** building **Telegram bots** through trojanized **Pyrogram forks**, creating a supply-chain path to compromi...
Hijacked npm and Go packages deploying Python infostealer via VS Code auto-run tasks
Malware Activity
H score30
First: 29.06.2026 08:36
Last: 29.06.2026 08:36
Sources 1
About this happening:
Hijacked **npm** and **Go** packages now deliver a **Python infostealer** through a hidden **VS Code auto-run task**, putting developer machines and credentials at risk across **W...
Hijacked npm and Go packages deploying Python infostealer via VS Code auto-run tasks
Malware ActivityAbout this happening: Hijacked **npm** and **Go** packages now deliver a **Python infostealer** through a hidden **VS Code auto-run task**, putting developer machines and credentials at risk across **W...
Malicious npm packages delivering Windows RAT
Malware Activity
H score3
First: 23.06.2026 11:54
Last: 23.06.2026 11:54
Sources 1
About this happening:
A set of **malicious npm packages** is delivering a **Windows-based RAT** through a **multi-stage install chain**, creating risk of **credential theft**, **host profiling**, and *...
Malicious npm packages delivering Windows RAT
Malware ActivityAbout this happening: A set of **malicious npm packages** is delivering a **Windows-based RAT** through a **multi-stage install chain**, creating risk of **credential theft**, **host profiling**, and *...
Timeline
-
29.04.2026 17:43 1 articles · 2mo ago
Graphalgo uses fake companies and interview tasks
Campaign Scope UpdateNorth Korean graphalgo operators use fake companies, fake job interviews, and coding tests on job-seeking platforms and social networks to lure developers into downloading GitHub-hosted assessment projects that carry malicious npm or PyPI dependencies and ultimately install a RAT. One front company, Blocmerce, registered an LLC in Florida in August 2025, and related GitHub organizations have been active since June 2025.
Show sources
- New Wave of DPRK Attacks Uses AI-Inserted npm Malware, Fake Firms, and RATs — thehackernews.com — 29.04.2026 17:43
-
14.02.2026 00:35 2 articles · 4mo ago
Graphalgo campaign disclosed
Initial DisclosureReversingLabs disclosed a North Korean fake-recruiter campaign called Graphalgo that targets JavaScript and Python developers with cryptocurrency-related coding tasks and malicious npm and PyPI dependencies. The activity had been ongoing since at least May 2025, expanded to 192 malicious packages, and was assessed as Lazarus with medium-to-high confidence.
Show sources
- Fake job recruiters hide malware in developer coding challenges — www.bleepingcomputer.com — 14.02.2026 00:35
- Fake job recruiters hide malware in developer coding challenges — www.bleepingcomputer.com — 14.02.2026 00:35