Summary

The article discusses a new malicious campaign by the North Korea-linked Lazarus Group, which involves planting harmful packages in the npm and PyPI ecosystems. This campaign, active since May 2025, uses a fake recruitment theme to deceive users.

Key Points

• The campaign is orchestrated by the Lazarus Group, known for its cyber espionage activities.
• Malicious packages were found in npm and PyPI, two popular package repositories.
• The campaign is codenamed "graphalgo," named after the first package published in the npm registry.
• The operation has been active since May 2025.

Analysis

The discovery of malicious packages in widely-used repositories like npm and PyPI is a significant threat to developers and organizations relying on these ecosystems. The use of a recruitment theme suggests a targeted approach to lure victims into downloading these packages. The involvement of the Lazarus Group, a notorious cyber actor, underscores the potential severity and sophistication of this campaign.

Conclusion

IT professionals should be vigilant about the packages they integrate into their projects, especially from npm and PyPI. Regularly auditing dependencies and monitoring for unusual activity can help mitigate risks associated with such malicious campaigns.