"As with many job-focused campaigns conducted by North Korean threat actors, the attack chain begins with establishing a fake company like Veltrix Capital in the blockchain and cryptocurrency trading space, and then setting up the necessary digital real estate to create an illusion of legitimacy. This includes registering a domain and creating a related GitHub organization to host several repositories for use in coding assessments. The repositories have been found to contain projects based on Python and JavaScript."
"Developers are approached via social platforms like LinkedIn and Facebook, or through job offerings on forums like Reddit, ReversingLabs researcher Karlo Zanki said in a report. The campaign includes a well-orchestrated story around a company involved in blockchain and cryptocurrency exchanges. Notably, one of the identified npm packages, bigmathutils, attracted more than 10,000 downloads after the first, non-malicious version was published, and before the second version containing a malicious payload was released."
Malicious packages were published to npm and PyPI as part of a coordinated campaign codenamed graphalgo, active since May 2025. Developers were approached via LinkedIn, Facebook, and job postings on Reddit with a fabricated company in the blockchain and cryptocurrency trading space called Veltrix Capital. The operation registered domains and created GitHub organizations hosting coding-assessment repositories containing Python and JavaScript projects to appear legitimate. The repositories themselves lacked overt malicious code, while attackers introduced malicious functionality indirectly by publishing compromised dependency packages to npm and PyPI, with at least one npm package reaching over 10,000 downloads before being weaponized.
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]