Fake recruiter campaign targets crypto devs

The ReversingLabs research team has identified a new branch of a fake recruiter campaign conducted by the North Korean hacking team Lazarus Group. The campaign, which the team named graphalgo, based on the first package included in this campaign in the npm repository, has been active since the beginning of May 2025. It is a coordinated campaign targeting both Javascript and Python developers with cryptocurrency-related fake recruiter tasks.

Developers are approached via social platforms like LinkedIn and Facebook, or through job offerings on forums like Reddit. The campaign includes a well-orchestrated story around a company involved in blockchain and cryptocurrency exchanges. The malicious functionality is hidden using several layers of indirection across public services which include GitHub, npm and PyPI. 

The campaign includes a malicious npm package, bigmathutils, which collected more than 10K downloads since publishing the original, non-malicious version, and before the second version containing malicious payload was released.

Graphalgo campaign overview

This whole campaign can be split into several partially independent activities conducted by the threat actor behind it. What's new in this campaign is its modularity makes it easier for the threat actor to keep the campaign active even if only some part of it becomes compromised.

Figure 1. Campaign overview

Part 1: Fake company

The central part of the campaign is a fake company, working on topics related to blockchain and crypto trading. In this case it was named “veltrix-capital,” but it is very likely that other organizations of the same profile exist as part of this campaign. The company’s domain, www[.]veltrixcap[.]org, was created on April 4th 2025. A related GitHub organization named veltrix-capital was also created. It should be noted: several other companies with a similar name can be found by a quick Google search, but it is hard to tell if they are fake or legitimate entities. 

The firm “Veltrix Capital" observed in this campaign had a basic looking website with information like the company vision and mission, but no concrete information about leadership or contact information. That said, it is not a hard task for a threat actor to create a fake company in case this one gets compromised. In fact, we think that was done in October 2025 when a new GitHub organization named veltrixcapital was created, pointing to a veltrixcapital[.]ai domain registered on September 21st 2025. No malicious activity related to this organization has been detected yet, but it is continuously getting new content published on its webpage and social media accounts. The content looks generic and AI generated and probably serves to create a sense of trustworthiness. It will very likely be used to publish malicious content in the future.

Part 2: Interview tasks

Several repositories were published under the veltrix-capital GitHub account and some of them were likely test tasks for job interviews. They include test-url-monitoring, test-devops-monitoring, test-devops-orchestrator, test-devops-orchestrator-ts. These repositories contained projects in both the Python and Javascript development languages. Examination of these repositories didn’t reveal any obvious malicious functionality. That is because the malicious functionality was not introduced directly via the job interview repositories, but indirectly — through dependencies hosted on the npm and PyPI open-source package repositories.

Figure 2. Malicious dependency in one of the job tasks

In Figure 2 you can see an example of a package.json file containing a dependency to a package named graphnetworkx. This file is found in one of the repositories created by the targeted developers. In figure 3 you can see the repository landing page and a short description confirming it is a DevOps job candidate task.

Figure 3. Landing page for one of the victim created repositories

GitHub logs reveal that this repository was forked from one of the original veltrix-capital job task repositories, as visible in Figure 4. 

Figure 4. GitHub fork event

As the repository description says, the developers' role is to “run, debug and improve…” Everything after “run” is not important, because at that moment, the malicious dependency is installed and executed on the victim's machine. It is easy to create such job task repositories. Threat actors simply need to take a legitimate bare-bone project and fix it up with a malicious dependency and it is ready to be served to targets. In case one of the “fake” job offering campaigns being exposed as fake.

For example, the story surrounding the veltrix-capital company, there is a good chance that only the “job” story will be detected — and that the malicious payload and infrastructure responsible for its delivery doesn’t need to be changed. The threat actor only needs to prepare a new fake company and job offering. Such a modular approach shifts the burden of campaign support from expensive technical modifications to cheap social engineering activities.

Part 3: Recruiting

Several compromised developers were identified via repositories and contacted for more information about the incident. They confirmed they were approached by recruiters through various channels. Some of them came upon a job advertisement in forums like Reddit or dedicated Facebook Groups. Such examples are visible in Figures 5 and 6. 

Figure 5. Advertisement for a fake job position at Veltrix Capital posted on Reddit

Figure 6. Advertisement for a fake job position targeting DevOps, posted in a Facebook group

Some victims were approached directly by recruiters through social networks like LinkedIn. An example is visible in Figure 7.

Figure 7. Active recruiting through direct communication

It is not clear if these recruiters are fake, threat actor operated recruiter accounts, or real recruiters hired by the threat actor to make the offer look more trustworthy. Looking at recruiters that mentioned working for veltrix-capital, it appears as if these are real recruiters. RL contacted one of these recruiters and got a quick initial response, but after asking questions about the company, the conversation ended. 

Part 4: Malicious dependencies

The parts of the campaign described so far could be called “frontend” and the malicious functionality is placed in the “backend” and uses public package repositories like npm and PyPI to host malicious downloaders. This approach is very convenient for threat actors, because it offers them a free, legitimate channel for hosting their malicious payloads. At the same time, it enables them to use the same payloads across different frontend campaigns.

Malicious packages attributed to this campaign can be split into two groups based on the packages they are impersonating:

• The first group are packages with “graph” in their name that started appearing on npm and PyPI in May 2025. 
• The second group are packages with “big” in their name that started appearing on npm and PyPI in December 2025. 

The “graph” packages were impersonations of legitimate packages — graphlib in npm and networkx in PyPI. Use of these packages was observed in veltrix-capital related tasks. 

The “big” packages were not observed in any of veltrix-capital related tasks, so it is very likely that there is another, yet undiscovered, “frontend” operation in progress. As part of tracking this campaign, the package bigmathutils was identified. However, for a month since its publishing, it contained nothing malicious.

During that period it collected more than 10K downloads. Just before publication of this post on February 11, a new version, 1.1.0, of this package was published — and it contained the same payload observed in other packages from this campaign. This is an example of patience paying off for the threat actor, with the malicious version published after the initial user base was established. Shortly after publishing, the malicious version was removed from npm and the author issued a warning about the package being deprecated, so this action was very likely conducted by the threat actor to conceive the existence of the malicious version.    

More technical details about malicious payloads from the graphalgo campaign can be found in a forthcoming technical analysis of this campaign.

Part 5: Final payloads

The second-stage payloads RL observed acted as downloaders for the final payload, a remote-access trojan (RAT) that periodically fetches and executes commands from the command and control server. The command listing can be seen in Figure 8. It supports typical commands like file download/upload, process listing and running of arbitrary commands.

Figure 8. Commands supported by the final RAT payload

One interesting detail is that the communication with the C2 server is token-protected. That means that the C2 server won’t accept requests without a valid token issued from the server during agent registration or command request. This is something that was previously observed in campaigns attributed to North Korean state-sponsored actors. 

Another notable functionality of the RAT is checking if the Metamask browser extension is installed. This is another typical characteristic of NK- sponsored activities — and a clear sign that the threat actor is interested in cryptocurrency funds. 

Three versions of payload with identical functionality were identified, written in three different programming languages. JavaScript and Python versions were linked to npm and PyPI packages, but there is also a VBS version of the final RAT payload — identified by the SHA1 value dbb4031e9bb8f8821a5758a6c308932b88599f18, first seen on February 4, 2026. It is designed to communicate with the same C2 server codepool[.]cloud observed in “graph” named packages. This is another sign signaling existence of other “frontend” versions of the whole campaign.  

North Korean campaigns in OSS repositories

There is a long history of malicious activities conducted by North Korean threat actors in public package repositories like npm and PyPI. In August 2023, RL published two blog posts (see the first and second) describing malicious impersonations of legitimate PyPI packages downloading malware from attacker controlled infrastructure. Package trustworthiness was backed up with corresponding GitHub repositories. The campaign was dubbed VMConnect, and later attributed to Lazarus Group, the North Korean advanced persistent threat (APT) group that has been linked to a number of sophisticated campaigns. 

A year later, RL researchers uncovered the continuation of the VMConnect campaign — this time connected to a fake recruiter coding tests. Malicious PyPI packages were linked to GitHub repositories belonging to malicious actors. Looking at their content, all of them represented coding skills tests linked to job interviews. When the victim ran those packages while trying to do the interview, it would execute a downloader fetching the second-stage malware. Malicious actors posed  as Capital One, a major US financial services company.   

In 2023, a Phylum research report about a malware campaign targeting npm with malware distributed in package pairs, using a unique token mechanism to make malware detection harder. Later the same year Unit42 described methods North Korea state-sponsored threat actors use to spread malware. Since then, there has been a rise in malicious npm packages that can be easily attributed to the Lazarus Group. In 2024, Veracode wrote about npm packages downloading a second stage that would remove all proof of malicious code. Throughout 2025, Socket researchers detaileds npm packages that were all part of a campaign connected with Lazarus.

In this campaign, attribution to Lazarus Group was based on the similarity with the techniques used in their previous campaigns. Those include:

• Fake interviews as the approach vector
• Malicious coding tasks as the initial infection vector
• Blockchain and cryptotrading related targets
• Multistaged malware with several encryption layers
• Patience in publishing malicious versions with weeks passing between publication of the initial version of a package and the first malicious version
• Token-protected command and control (C2) communication
• GMT+9 timestamps (North Korea’s time zone) for git commits conducted by threat actors

Figure 9. Git commits with GMT+9 timezone timestamps

Sophistication is a mark of state-sponsored threat actors 

Evidence suggests that this is a highly sophisticated campaign. Its modularity, long-lived nature, patience in building trust across different campaign elements, and the complexity of the multilayered and encrypted malware point to the work of a state-sponsored threat actor.

Fake interviews as the initial contact vector, as well as a cryptocurrency-focused story and malware, together with other techniques mentioned in this blog post, point to North Korea’s Lazarus Group. This is likely the most prominent threat actor targeting popular open-source package repositories. Their footprint is continuously present in these ecosystems, and new malicious packages will certainly continue to appear for an extended period of time.

The modular approach in this campaign makes it easy for the threat actor to design frontend campaigns without the need to change backend services responsible for serving malicious payloads. A direct connection between “graph” named packages in npm and PyPI repositories, and the veltrix-capitalthemed job offerings is clear. 

At the same time, we still haven’t discovered the “frontend” campaign for “big” named packages nor for the freshly discovered VBS version of the final RAT payload. All these facts lead to a conclusion that this is an ongoing campaign and there are no signs of stopping. 

An upcoming RL research team analysis of the graphalgo campaign will contain technical details about malicious npm and PyPI packages related to this campaign — and ways to protect your organization from this and similar attacks.

Indicators of Compromise (IoCs)

Indicators of Compromise (IoCs) refer to forensic artifacts or evidence related to a security breach or unauthorized activity on a computer network or system. IoCs play a crucial role in cybersecurity investigations and cyber incident response efforts, helping analysts and cybersecurity professionals identify and detect potential security incidents.

The following IoCs were collected as part of RL's investigation of the graphalgo software supply chain campaign.

Network indicators:

codepool[.]cloud

aurevian[.]cloud

Final RAT payloads:

Package indicators: