Researchers have identified a coordinated supply chain attack campaign, codenamed 'graphalgo,' attributed to the Lazarus Group, a North Korean state-sponsored threat actor. Active since May 2025, the campaign involves publishing malicious packages in the npm and PyPI repositories under names related to graph algorithms and big math utilities. The attack vector begins with social engineering: developers are targeted through fake job offers on social media platforms such as LinkedIn, Facebook, and Reddit, often involving a fabricated company named Veltrix Capital operating in blockchain and cryptocurrency trading. Victims are encouraged to clone GitHub repositories for coding assessments, which depend on the malicious packages hosted on npm and PyPI. These dependencies contain a remote access trojan (RAT) that, once installed, registers with a command-and-control (C2) server using a token-based authentication mechanism. This RAT supports commands for system enumeration, file and process management, and data exfiltration. The malware also checks for the presence of cryptocurrency wallets like MetaMask, indicating a financial theft motive. The campaign’s sophistication is evident in its modular design, encrypted multilayered malware, and patient trust-building approach. Parallel to this, other malicious npm packages such as 'duer-js' have been found to steal sensitive information including browser credentials and cryptocurrency wallet data, exfiltrating it via Discord webhooks and file storage services. Another campaign, dubbed XPACK ATTACK, abuses npm’s package installation process to extort cryptocurrency payments by simulating a payment wall, blocking installation until a ransom is paid. These findings underscore an ongoing trend of supply chain compromises targeting open-source ecosystems to infiltrate developer environments and steal sensitive data or extort funds.

European organizations, particularly those engaged in software development, blockchain, cryptocurrency, and open-source projects, face significant risks from this campaign. The malicious packages can lead to unauthorized system access, data theft including sensitive credentials and cryptocurrency wallets, and potential lateral movement within corporate networks. The use of social engineering to target developers increases the likelihood of initial compromise, as developers may unwittingly install malicious dependencies during routine coding assessments or project setups. The presence of a RAT capable of extensive system control threatens confidentiality, integrity, and availability of affected systems. Financial theft is a direct risk due to checks for cryptocurrency wallets. The campaign’s stealthy and modular nature complicates detection and remediation, potentially allowing prolonged espionage or data exfiltration. Additionally, the extortion campaigns leveraging npm installations can disrupt developer workflows and cause financial losses. The reputational damage and operational disruptions from such supply chain attacks can be severe, especially for organizations relying heavily on open-source components and remote recruitment processes.

1. Implement strict dependency management policies, including verifying package provenance, integrity, and publisher reputation before inclusion in projects. 2. Employ automated tools to scan for known malicious packages and anomalous behaviors in dependencies, such as ReversingLabs or similar threat intelligence platforms. 3. Educate developers and HR teams to recognize social engineering tactics used in fake recruitment campaigns, emphasizing caution when engaging with unsolicited job offers or unknown repositories. 4. Use isolated and sandboxed environments for running untrusted code or coding assessments to prevent infection of production systems. 5. Monitor network traffic for unusual outbound connections, especially to unknown C2 servers, and inspect for token-based authentication patterns indicative of this RAT’s communication. 6. Enforce multi-factor authentication and endpoint detection and response (EDR) solutions capable of detecting suspicious process behaviors related to file manipulation and data exfiltration. 7. Regularly audit and update open-source dependencies to remove or replace suspicious packages. 8. Collaborate with open-source communities and package registries to report and remove malicious packages promptly. 9. For organizations involved in cryptocurrency, implement additional wallet security measures and monitor for unauthorized access attempts. 10. Incorporate supply chain risk assessments into cybersecurity governance frameworks.