- Lazarus Group develops Operation Dream Job campaign to target Web3 developers
- New “Graphalgo” variant uses malicious dependencies in legitimate core projects in PyPI/npm
- ReversingLabs found ~200 malicious packages spoofing libraries like Graphlib, aiming to steal cryptocurrency
The notorious Lazarus gang is evolving its Operation Dream Job campaign to target even more software developers and steal even more cryptocurrencies along the way.
Security researchers ReversingLabs claim to have seen changes to the campaign starting in May 2025, dubbed ‘Graphalgo’, in which Lazarus takes a legitimate core project and adds a malicious dependency that they use in the attack.
For those unfamiliar with Operation Dream Job, it is an ongoing campaign created by North Korean state-sponsored hackers. They create fake job ads on LinkedIn and other platforms and offer attractive jobs to software developers who mainly work in the Web3 (blockchain) industry.
Codename Graphalgo
During the “recruitment process”, they ask candidates to perform some test tasks which always end with the victims downloading and executing malicious code. That code may be different, but the goal is always to empty your crypto wallets, whether they are standalone apps, browser add-ons, or accounts on popular crypto exchanges.
“It is easy to create such repositories of work tasks. Threat actors simply need to take a legitimate core project and fix it with a malicious dependency and it will be ready to be delivered to targets,” the researchers said. Most of these projects are hosted on legitimate platforms such as PyPI or npm, making it difficult for victims to detect the attack.
So far, ReversingLabs has found almost 200 malicious packages.
The update was named Graphalgo because all malicious packages had the “graph” prefix in their name and often spoof normal libraries like Graphlib. In more recent times, “graphic” was replaced by “large,” but researchers have yet to find the recruiting part that accompanies these packages.
Through beepcomputer
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to receive news, reviews and opinions from our experts in your feeds. Be sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form and receive regular updates from us on WhatsApp also.
