- Lazarus Group evolving Operation Dream Job campaign to target Web3 developers
- New “Graphalgo” variant uses malicious dependencies in legitimate bare-bone projects on PyPI/npm
- ReversingLabs found ~200 malicious packages spoofing libraries like graphlib, aiming to steal crypto
The notorious Lazarus gang is evolving its Operation Dream Job campaign to target even more software developers and steal even more crypto along the way.
Security researchers ReversingLabs claim to have seen changes to the campaign starting May 2025, dubbed ‘Graphalgo’, which sees Lazarus take a legitimate bare-bone project, and adds a malicious dependency which they use in the attack.
For those unfamiliar with Operation Dream Job, it is an ongoing campaign created by North Korean state-sponsored hackers. They create fake job ads on LinkedIn and other platforms and offer enticing jobs to software developers working primarily in the Web3 (blockchain) industry.
Codename Graphalgo
During the “hiring process”, they ask the candidates to go through a few test assignments which always end up with the victims downloading and running malicious code. That code can be different, but the goal is always to empty their crypto wallets - be it standalone apps, browser add-ons, or accounts on popular crypto exchanges.
"It is easy to create such job task repositories. Threat actors simply need to take a legitimate bare-bone project and fix it up with a malicious dependency and it is ready to be served to targets," the researchers said. Most of these projects are hosted on legitimate platforms such as PyPI or npm, making it more difficult for the victims to spot the attack.
So far, ReversingLabs found almost 200 malicious packages.
The refresh was dubbed Graphalgo because all of the malicious packages had the prefix “graph” in their name and often spoof regular libraries such as graphlib. In more recent times, “graph” was replaced with “big”, but the researchers are yet to find the recruiting part that goes with these packages.
Via BleepingComputer
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.
