Lazarus Campaign Plants Malicious Packages in npm and PyPI Ecosystems

• Cybersecurity researchers have discovered a fresh set of malicious packages across npm and the Python Package Index (PyPI) repository linked to a fake recruitment-themed campaign orchestrated by the North Korea-linked Lazarus Group. • The coordinated campaign has been codenamed graphalgo in reference to the first package published in the npm registry. • It’s assessed to be active since May 2025. • “Developers are approached via social platforms like LinkedIn and Facebook, or through job offerings on forums like Reddit,” ReversingLabs researcher Karlo Zanki said in a report. • “The campaign includes a well-orchestrated story around a company involved in blockchain and cryptocurrency exchanges.” Notably, one of the identified npm packages, bigmathutils, attracted more than 10,000 downloads after the first, non-malicious version was published, and before the second version containing a malicious payload was released. • The names of the packages are listed below - npm - - graphalgo - graphorithm - graphstruct - graphlibcore - netstruct - graphnetworkx - terminalcolor256 - graphkitx - graphchain - graphflux - graphorbit - graphnet - graphhub - terminal-kleur - graphrix - bignumx - bignumberx - bignumex - bigmathex - bigmathlib - bigmathutils - graphlink - bigmathix - graphflowx PyPI - - graphalgo - graphex - graphlibx - graphdict - graphflux - graphnode - graphsync - bigpyx - bignum - bigmathex - bigmathix - bigmathutils As with many job-focused campaigns conducted by North Korean threat ac

Article Summaries:

• Cybersecurity researchers have discovered a fresh set of malicious packages across npm and the Python Package Index (PyPI) repository linked to a fake recruitment-themed campaign orchestrated by the North Korea-linked Lazarus Group. The coordinated campaign has been codenamed graphalgo in reference to the first package published in the npm registry. It’s assessed to be active since May 2025. “Developers are approached via social platforms like LinkedIn and Facebook, or through job offerings on forums like Reddit,” ReversingLabs researcher Karlo Zanki said in a report. “The campaign includes a

Sources:

• https://thehackernews.com/2026/02/lazarus-campaign-plants-malicious.html