cybersecurity researchers have identified a new series of malicious software packages within the npm and Python Package Index (PyPI) ecosystems. These packages are linked to a fake recruitment campaign attributed to the North Korea-linked Lazarus Group. The activity, which has been active since at least May 2025, poses a significant supply chain threat to software developers worldwide.

Campaign Details and Discovery

The coordinated campaign has been assigned the codename “graphalgo” by researchers, a reference to the first malicious package published in the npm registry. The threat actors used social engineering tactics, posing as recruiters to lure developers into downloading and executing the tainted packages. These packages were designed to deploy malware capable of stealing sensitive data from infected systems.

The malicious modules were uploaded to both the npm and PyPI repositories, which are critical infrastructure for the JavaScript and Python programming communities. Developers who inadvertently install these packages risk compromising their development environments and any systems connected to them.

Attribution and Historical Context

The campaign has been attributed with high confidence to the Lazarus Group, a cybercrime syndicate backed by the North Korean government. This group is also known by aliases including Hidden Cobra and APT38. Lazarus has a long history of conducting financially motivated and espionage-related cyber operations, including the 2014 Sony Pictures hack and the WannaCry ransomware attack in 2017.

Their operations frequently target cryptocurrency firms and financial institutions to generate revenue for the regime. In recent years, the group has increasingly focused on software supply chain attacks, exploiting the trust inherent in open-source repositories to distribute malware to a broad audience.

Impact and Mitigation

The immediate impact of this campaign is the potential compromise of individual developers and organizations that downloaded the packages. The broader implication is the erosion of trust in essential open-source repositories, which form the backbone of modern software development. Security teams at both npm and PyPI have removed the identified malicious packages.

Researchers and repository maintainers advise developers to exercise heightened vigilance. Recommended security practices include verifying package publishers, scrutinizing dependencies for unusual activity, and using security tools that can scan for known vulnerabilities and malicious code within software libraries.

Looking Ahead

Security analysts expect the Lazarus Group and similar state-sponsored actors to continue refining their software supply chain attack methods. Repository maintainers are likely to enhance automated scanning and validation processes for new package submissions. The cybersecurity community anticipates further disclosures of related malicious packages as investigations into the “graphalgo” campaign continue, urging developers to monitor official advisories from npm and PyPI for updates.

Source: GeekWire