Graphalgo
Graphalgo is a malware campaign and associated malicious package cluster attributed with medium-to-high confidence to North Korea’s Lazarus Group. Active since at least May 2025, it targets JavaScript and Python developers through fake recruiter outreach and coding-assessment lures themed around blockchain, cryptocurrency, and software development roles. Attackers use fake company infrastructure, including fronts such as Veltrix Capital, and contact targets via LinkedIn, Facebook, Reddit, and similar channels. Victims are instructed to run or debug seemingly legitimate interview projects hosted on GitHub; the repositories themselves may appear clean, but they pull malicious dependencies from npm and PyPI.
Researchers identified 192 malicious packages associated with the campaign. The operation was named after the first npm package observed, graphalgo. Reported package names include npm packages such as graphalgo, graphorithm, graphstruct, graphlibcore, netstruct, graphnetworkx, terminalcolor256, graphkitx, graphchain, graphflux, graphorbit, graphnet, graphhub, terminal-kleur, graphrix, bignumx, bignumberx, bignumex, bigmathex, bigmathlib, bigmathutils, graphlink, bigmathix, and graphflowx, and PyPI packages such as graphalgo, graphex, graphlibx, graphdict, graphflux, graphnode, graphsync, bigpyx, bignum, bigmathex, bigmathix, and bigmathutils. Some packages were initially benign to build trust and download counts before later malicious updates were pushed; bigmathutils is specifically cited as having exceeded 10,000 downloads before a malicious version was introduced.
The malicious packages function as downloaders or conduits for a modular multi-stage remote access trojan. The RAT periodically fetches and executes commands from an external command-and-control server and supports capabilities including arbitrary command execution, process listing, system and file enumeration, file and directory manipulation, file upload and download, and additional payload delivery. The malware uses token-protected C2 communications, including an initial registration step that sends host information and receives a token required for subsequent requests. Multiple RAT variants written in JavaScript, Python, and VBS were reported.
The campaign also includes checks for browser cryptocurrency wallet extensions such as MetaMask, indicating likely cryptocurrency theft objectives in addition to broader data theft. Targeting is focused on developers, especially those in blockchain and crypto-related ecosystems, and the tradecraft combines social engineering with software supply-chain abuse to exploit normal developer workflows. Attribution to Lazarus Group is supported in the content by overlap in fake job interview lures, crypto-focused targeting, delayed malicious package activation, multistage encrypted malware, token-protected C2, and GMT+9 Git commit timestamps.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
2 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
North Korea’s Lazarus Group has maintained a sustained presence in PyPI and npm targeting AI and developer tool packages under the campaign codenamed “Graphalgo.”
The coordinated campaign has been codenamed graphalgo in reference to the first package published in the npm registry... The packages ultimately act as a conduit to deploy a remote access trojan (RAT) that periodically fetches and executes commands from an external server.
Techniques & procedures
8 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
3 techniques
Initial Access
Instead of direct attachments, attackers embed malicious dependencies inside packages on popular developer registries — npm and PyPI. When candidates run or debug the code as part of the “interview exercise,” these hidden packages install a remote access trojan (RAT) on their machine.
Instead of direct attachments, attackers embed malicious dependencies inside packages on popular developer registries — npm and PyPI. When candidates run or debug the code as part of the “interview exercise,” these hidden packages install a remote access trojan (RAT) on their machine.
Execution
2 techniques
Execution
Discovery
1 technique
Discovery
Command and Control
1 technique
Command and Control
Recent activity
6 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A Lazarus-linked fake recruiter/software supply chain campaign using malicious npm and PyPI dependencies embedded in “job interview” GitHub projects. When executed, the dependencies run a multi-stage, modular infection chain that ultimately downloads a RAT with file access, command execution, and process control; it also checks for crypto wallets (e.g., MetaMask) and uses token-protected C2.
Post navigation Previous: Dream Job or Nightmare? Lazarus Group Hunts Crypto Devs with “Graphalgo” Malware
“Dream Job or Nightmare? Lazarus Group Hunts Crypto Devs with ‘Graphalgo’ Malware”
A software supply-chain campaign using malicious npm/PyPI packages as downloaders to install a modular remote access trojan. The RAT supports process listing, arbitrary command execution via C2, file exfiltration, and dropping additional payloads; it also checks for the MetaMask browser extension, indicating crypto-theft intent.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.