Lazarus Campaign: Poisoning npm and PyPI with Malicious Packages

February 13, 2026 Faeem BLOGS 0

Cybersecurity researchers have uncovered a new wave of malicious packages in the npm and PyPI ecosystems, linked to the North Korea‑backed Lazarus Group. The campaign, codenamed graphalgo, has been active since May 2025 and demonstrates how state‑sponsored actors exploit open‑source trust to infiltrate developer environments.

Attack Chain Overview

  • Recruitment lure: Developers are approached via LinkedIn, Facebook, and Reddit with fake job offers from a fabricated company (e.g., Veltrix Capital in blockchain/crypto).
  • Legitimacy building: Attackers register domains and GitHub organizations hosting seemingly benign repositories.
  • Hidden infection: Malicious functionality isn’t in the interview projects themselves—it’s introduced via dependencies hosted on npm and PyPI.
  • Execution: Victims running the projects unknowingly install malicious packages, triggering infection.

Malicious Packages Identified

npm: graphalgo, graphorithm, graphstruct, graphlibcore, netstruct, graphnetworkx, terminalcolor256, graphkitx, graphchain, graphflux, graphorbit, graphnet, graphhub, terminal‑kleur, graphrix, bignumx, bignumberx, bignumex, bigmathex, bigmathlib, bigmathutils, graphlink, bigmathix, graphflowx.

PyPI: graphalgo, graphex, graphlibx, graphdict, graphflux, graphnode, graphsync, bigpyx, bignum, bigmathex, bigmathix, bigmathutils.

Notably, bigmathutils attracted over 10,000 downloads before its malicious payload was introduced.

Malware Capabilities

  • Deploys a remote access trojan (RAT).
  • Commands include: system info collection, file enumeration, process listing, file manipulation, and upload/download.
  • Token‑based C2 authentication ensures only registered infected systems can communicate—an approach previously seen in Lazarus‑linked campaigns (e.g., Jade Sleet/TraderTraitor).
  • Checks for MetaMask browser extension, signaling intent to steal cryptocurrency assets.

Related Discoveries

  • JFrog identified duer‑js, an npm package masquerading as a console utility but delivering Bada Stealer, exfiltrating browser credentials, Discord tokens, and crypto wallet data.
  • XPACK ATTACK (Feb 2026): npm packages extorting developers by blocking installation until victims pay cryptocurrency, abusing HTTP 402 “Payment Required” status codes.

Defensive Recommendations

  • Audit dependencies: Verify npm/PyPI packages before use, especially in recruitment or assessment projects.
  • Monitor developer environments: Look for unusual outbound traffic or token‑based C2 patterns.
  • Educate teams: Warn developers about fake job offers and social engineering campaigns.
  • Use package scanning tools: Employ automated solutions to detect malicious dependencies.

Final Thought

The Lazarus campaign underscores a growing reality: open‑source ecosystems are prime targets for state‑sponsored actors. By blending social engineering with poisoned dependencies, attackers exploit trust at scale. For defenders, vigilance must extend beyond code reviews to the entire supply chain of developer tools and packages.

Be the first to comment

Leave a Reply

Your email address will not be published.


*


This site uses Akismet to reduce spam. Learn how your comment data is processed.