Fake job recruiters hide malware in developer coding challenges
Source: Bleeping Computer
Overview
A new variation of the fake recruiter campaign from North Korean threat actors is targeting Java‑script and Python developers with cryptocurrency‑related tasks. The activity has been ongoing since at least May 2025 and is characterized by modularity, allowing the actor to quickly resume the campaign after a partial compromise.
Malicious Packages (Graphalgo)
The threat actor publishes malicious packages on the npm and PyPI registries that act as downloaders for a remote‑access trojan (RAT). Researchers identified 192 malicious packages related to this campaign, which they named “Graphalgo.”
Stage of the Graphalgo fake recruiter campaign – source: ReversingLabs
Example Package
One highlighted package, bigmathutils, had 10 000 downloads and was benign until version 1.1.0 introduced a malicious payload. The package was later deprecated and removed, likely to conceal the activity.
The “Graphalgo” name derives from packages that contain “graph” in their name, often impersonating legitimate libraries such as graphlib. From December 2025 onward, the actors shifted to packages with “big” in their name.
Package submission timeline – source: ReversingLabs
Recruitment Tactics
Researchers at software‑supply‑chain security company ReversingLabs say the actors create fake companies in the blockchain and crypto‑trading sectors and publish job offers on platforms like LinkedIn, Facebook, and Reddit.
Fake job posting on Reddit – source: ReversingLabs
Applicants are asked to demonstrate their skills by running, debugging, and improving a provided project. The real goal is to make the applicant execute the code, which pulls in a malicious dependency from a legitimate repository.
“It is easy to create such job‑task repositories. Threat actors simply need to take a legitimate bare‑bone project and fix it up with a malicious dependency and it is ready to be served to targets,” the researchers explain.
Source
To hide the malicious nature of the dependencies, the attackers host them on legitimate platforms (npm, PyPI). The GitHub organizations used for the projects appear clean; the malicious code is introduced indirectly via the compromised dependencies.
RAT Capabilities
Victims who run the instructed project install a RAT payload that can:
- List running processes on the host
- Execute arbitrary commands from a command‑and‑control (C2) server
- Exfiltrate files or drop additional payloads
Commands supported by the RAT – source: ReversingLabs
Additional behaviors include:
- Checking for the MetaMask cryptocurrency extension in the victim’s browser, indicating a money‑stealing motive.
- Token‑protected C2 communication to block unauthorized observers.
- Variants written in JavaScript, Python, and VBS to cover a wide range of targets.
Attribution
The researchers attribute the Graphalgo fake‑recruiter campaign to the Lazarus group with medium‑to‑high confidence, based on:
- Similar infection vectors (coding tests)
- Cryptocurrency‑focused targeting
- Delayed activation of malicious code, a known Lazarus tactic
- Git commit timestamps matching the GMT +9 time zone (North Korea)
Indicators of Compromise & Mitigation
The complete indicators of compromise (IoCs) are available in the original report.
Developers who installed any of the malicious packages should:
- Rotate all tokens and account passwords.
- Reinstall their operating system or clean the environment thoroughly.