Find notable cyber news and cases, enriched with sources, timelines, and signals.

Graphalgo malicious npm and PyPI RAT downloader packages

Malware Activity
First reported
Last updated
Happening score
H score 31
2 unique sources, 2 articles

Summary

Hide ▲

Graphalgo is a continuing malware-delivery operation that uses fake companies, fake job interviews, and coding tests to lure JavaScript and Python developers into downloading GitHub-hosted assessment projects carrying malicious npm or PyPI dependencies. The packages are designed to install a remote access trojan (RAT) and other malware on developer systems, creating risk of credential theft, wallet compromise, and file exfiltration. The operation has been active since at least May 2025 and has already produced 192 malicious packages.

Related Happenings

North Korean Contagious Interview PolinRider supply-chain campaign

Campaign
H score51 First: 04.07.2026 14:17 Last: 04.07.2026 14:17 Sources 1

About this happening: The **Contagious Interview / PolinRider** campaign is still active, with **108 unique packages and browser extensions** published across **npm, Packagist, Go, and Google Chrome**....

Rollup polyfill npm package malware activity for remote access and data theft

Malware Activity
H score16 First: 03.07.2026 19:07 Last: 03.07.2026 19:07 Sources 1

About this happening: **Malicious npm packages** disguised as **Rollup polyfill tooling** are now delivering **remote-access and data-theft payloads** to developer workstations and build machines. The...

Operation Navy Ghost PyPI supply-chain campaign

Campaign
H score26 First: 01.07.2026 00:02 Last: 01.07.2026 00:02 Sources 1

About this happening: The **Operation Navy Ghost** campaign has targeted **Python developers** building **Telegram bots** through trojanized **Pyrogram forks**, creating a supply-chain path to compromi...

Hijacked npm and Go packages deploying Python infostealer via VS Code auto-run tasks

Malware Activity
H score30 First: 29.06.2026 08:36 Last: 29.06.2026 08:36 Sources 1

About this happening: Hijacked **npm** and **Go** packages now deliver a **Python infostealer** through a hidden **VS Code auto-run task**, putting developer machines and credentials at risk across **W...

Malicious npm packages delivering Windows RAT

Malware Activity
H score3 First: 23.06.2026 11:54 Last: 23.06.2026 11:54 Sources 1

About this happening: A set of **malicious npm packages** is delivering a **Windows-based RAT** through a **multi-stage install chain**, creating risk of **credential theft**, **host profiling**, and *...

Timeline

  1. 29.04.2026 17:43 1 articles · 2mo ago

    Graphalgo uses fake companies and interview tasks

    Campaign Scope Update

    North Korean graphalgo operators use fake companies, fake job interviews, and coding tests on job-seeking platforms and social networks to lure developers into downloading GitHub-hosted assessment projects that carry malicious npm or PyPI dependencies and ultimately install a RAT. One front company, Blocmerce, registered an LLC in Florida in August 2025, and related GitHub organizations have been active since June 2025.

    Show sources
  2. 14.02.2026 00:35 2 articles · 4mo ago

    Graphalgo campaign disclosed

    Initial Disclosure

    ReversingLabs disclosed a North Korean fake-recruiter campaign called Graphalgo that targets JavaScript and Python developers with cryptocurrency-related coding tasks and malicious npm and PyPI dependencies. The activity had been ongoing since at least May 2025, expanded to 192 malicious packages, and was assessed as Lazarus with medium-to-high confidence.

    Show sources