What happened
Threat actors posing as job recruiters have been targeting developers with fake coding challenges designed to install malware on their systems. According to research from ReversingLabs, the campaign involves attackers creating fake companies in blockchain and cryptocurrency sectors and posting job offers on platforms such as LinkedIn, Facebook, and Reddit. Developers are instructed to download and run project code as part of the hiring process, but these repositories include malicious dependencies hosted on legitimate package registries like npm and PyPI. Once executed, the malicious packages install a remote access trojan (RAT) that can execute commands, exfiltrate files, and deploy additional payloads on compromised systems. Researchers identified 192 malicious packages tied to the campaign, dubbed Graphalgo, and attributed it with medium-to-high confidence to the Lazarus Group, based on tactics and infrastructure similarities.Â
Who is affected
JavaScript and Python developers targeted by fake job recruiters and instructed to run malicious coding challenges are affected, as executing the compromised projects installs RAT malware capable of remote command execution and data exfiltration.Â
Why CISOs should care
The campaign demonstrates how software supply chains and developer workflows can be exploited through recruitment processes, enabling attackers to bypass traditional defenses and compromise systems via trusted development tools and repositories.Â
3 practical actions
- Audit developer environments. Identify and remove malicious npm and PyPI dependencies associated with the campaign.Â
- Monitor for unauthorized remote access activity. Detect RAT behavior such as command execution and file exfiltration from developer systems.Â
- Strengthen developer security awareness. Educate developers about risks associated with executing unverified coding challenges from unsolicited job offers.