North Korea's Lazarus Group just got caught running a nine-month software supply chain operation that planted 192 malicious packages across npm and PyPI, all disguised behind fake crypto job offers and a company that doesn't exist. The RAT payload checks for your MetaMask wallet. The campaign is still active. Here's the full breakdown.
On February 11, 2026, researchers at ReversingLabs published findings on a campaign they've been tracking since it first appeared in May 2025. The operation, which they codenamed "Graphalgo" after the first malicious package discovered in the npm registry, represents the latest evolution of a North Korean state-sponsored effort to compromise developers through the software supply chain. The researcher who led the investigation, Karlo Zanki, documented a coordinated campaign spanning two major package ecosystems, multiple social media platforms, and at least three distinct programming languages for the final malware payload.
This isn't an isolated incident. It's a continuation of a pattern that stretches back to at least 2023, when the same threat actor ran the "VMConnect" campaign on PyPI. But Graphalgo is bigger, more patient, and far more modular than anything they've done before. Let's tear it apart.
The Campaign: What Is Graphalgo?
Graphalgo is a multi-stage software supply chain attack that weaponizes open-source package registries (npm for JavaScript, PyPI for Python) to deliver a remote access trojan to cryptocurrency-focused developers. The name comes from the first malicious package published to npm on May 2, 2025: graphalgo. That initial package was designed to mimic graphlib, a legitimate and widely-used JavaScript library for working with graph data structures. The real graphlib pulls over 2.7 million weekly downloads but hasn't been updated in six years, making it a perfect target for impersonation with a package that looks like a "newer version."
From that first package, the campaign expanded rapidly. By the time ReversingLabs went public with their findings, they had identified 192 malicious packages across both repositories. These fell into two distinct naming waves. The "graph" packages (names like graphalgo, graphnetworkx) started appearing in May 2025 on npm and June 2025 on PyPI. These packages directly impersonated popular graph algorithm libraries. The "big" packages (names like bigmathutils, bignumx, bigmathix) arrived starting in November 2025 on npm and December 2025 on PyPI, and took a different approach to trust-building that we'll get to in a moment.
On PyPI specifically, the researchers counted 56 packages with "graph" in the name and 30 with "big." On npm, 57 carried the "graph" prefix and 23 used "big," along with a handful of other names. Each new package shifted the location and name of the malicious payload file internally, but the code flow and infection logic stayed consistent throughout the entire nine-month operation.
As of the time of publication, new package variants and payload versions are still appearing. ReversingLabs identified a VBS version of the final RAT payload (SHA1: dbb4031e9bb8f8821a5758a6c308932b88599f18) first seen on February 4, 2026, and the "frontend" recruitment campaign linked to the "big" named packages and the VBS payload has not yet been discovered, suggesting additional lures are in play that haven't been identified.
The Social Engineering Playbook
The entry point for Graphalgo is pure social engineering, and it's well-crafted. The attackers built a complete fake company persona called "Veltrix Capital," supposedly a blockchain and cryptocurrency exchange firm. They registered domains including veltrixcap[.]org and veltrixcapital[.]ai, and set up corresponding GitHub organizations that hosted what appeared to be legitimate coding projects. The Veltrix Capital website, created around April 2025, listed no real leadership, no contact details, and no verifiable history. A red flag if you know to look for it, but not the kind of thing someone excited about a job opportunity is likely to notice.
The attackers then deployed this fake identity across multiple channels. They posted job advertisements on Reddit and in dedicated Facebook Groups looking for DevOps engineers and blockchain developers. They also directly messaged developers on LinkedIn through what appeared to be professional recruiter profiles. In some cases, the recruiter profiles appeared convincingly real, adding a layer of credibility. However, researchers noted that these fake recruiters would disengage quickly when questioned about the company's specifics.
Developers who engaged with the "recruiters" were given a coding assessment. This is completely normal in the tech hiring process, and that's exactly what makes it dangerous. The candidate would receive a link to a GitHub repository containing what looked like a standard coding skills test. The project appeared clean. The code looked legitimate. The assignment made sense for a DevOps or blockchain development role. But buried in the project's dependency configuration was a reference to one of the attacker-controlled malicious packages on npm or PyPI.
When the developer ran or debugged the project (because that's what you do during a coding test), the package manager automatically pulled in the malicious dependency. No manual download of suspicious files required. No obvious red flags in the code being evaluated. Just a standard npm install or pip install executing in the background.
The Technical Kill Chain
The infection chain is layered and designed to evade detection at every stage. Understanding how it works requires walking through the full sequence from poisoned package to active RAT.
Stage 1: The Poisoned Package
The initial malicious npm package, graphalgo, mimicked the legitimate graphlib library. The malicious payload was hidden in an added file named graph-init.min.js. Critically, this payload was not designed to execute on package installation (which is where many automated scanners look). Instead, it was wired into the constructor for the graph class itself. The first time a developer created a graph object in their code, the payload fired. This is a clever design choice because it means the malware only activates when the library is actually being used, not during a passive install scan.
The "big" packages took patience to another level. The npm package bigmathutils, for example, was initially published as a clean, legitimate math utility. It accumulated over 10,000 downloads in its benign form. Only after that trust was established did the attackers push version 1.1.0 containing the malicious payload, just before February 11, 2026. Shortly after, they marked the package as deprecated and removed it, attempting to erase traces of the weaponized release after it had already seeded infections across developer machines.
As the campaign progressed, the payload was moved and renamed in each new package. However, the code flow remained stable. Later packages added an additional layer of encryption that rendered the malicious code unusable unless invoked with a specific set of arguments, further complicating static analysis.
Stage 2: The GitHub Relay
When the poisoned package executes, it doesn't immediately pull down the final malware. Instead, it downloads what appears to be a non-malicious artifact hosted on GitHub and saves it to a specific filesystem location based on the victim's operating system. This intermediary step serves two purposes: it uses a trusted domain (GitHub) to host what looks like innocent code, making network-level detection harder, and it adds another layer of indirection between the initial infection and the final payload.
Stage 3: The Downloader
The artifact retrieved from GitHub acts as a second-stage downloader. Its job is to connect to the attacker's command-and-control infrastructure and pull down the final payload: the RAT. The PyPI variants added encryption to some parts of this stage, though ReversingLabs noted the encryption was relatively simple to break. The decryption function was the same one used to decrypt strings yielding the C2 URL for the second stage, meaning once you understood one layer, the others followed.
Stage 4: C2 Registration
Before the RAT becomes fully operational, the infected system sends system data as part of a registration step to the C2 server. The server responds with a token. All subsequent communication requires this token to be included in the request. Without a valid token, the C2 server rejects commands entirely. This token-based authentication mechanism prevents security researchers from simply querying the C2 infrastructure to analyze its behavior, because without completing the registration handshake, the server won't respond with anything useful.
This exact token-based C2 authentication pattern was previously observed in 2023 campaigns attributed to Jade Sleet (also known as TraderTraitor or UNC4899), a North Korean hacking subgroup within the broader Lazarus umbrella. The mechanism works as a form of access control: only systems that have completed the full infection chain and registered with the server can receive commands.
The RAT: What It Does Once You're Owned
The final payload is a fully functional remote access trojan that periodically contacts the C2 server to fetch and execute commands. ReversingLabs identified three distinct versions of this RAT, written in JavaScript, Python, and Visual Basic Script (the VBS variant being the newest, first seen on February 4, 2026). All three versions communicate with the same C2 infrastructure, including the server at codepool[.]cloud observed in the graph-named packages.
The RAT's command set covers the standard toolkit for remote system control. It can gather system information including hostname, OS version, and hardware details. It can enumerate files and directories across the filesystem. It can list running processes. It can create, rename, and delete folders and files. It supports both uploading files from the victim's system to the attacker's infrastructure and downloading additional payloads to the victim machine. And it can execute arbitrary commands on the infected system.
But here's the detail that tells you exactly what this is about: the RAT checks whether the MetaMask browser extension is installed on the victim's machine. MetaMask is one of the primary wallet interfaces for managing Ethereum and ERC-20 tokens. If you're a cryptocurrency developer running this code on a machine that also manages crypto wallets or has access to development environments that handle digital assets, the attackers now have a direct line to your funds.
Attribution: Why This Points to Lazarus
ReversingLabs attributes the Graphalgo campaign to North Korea's Lazarus Group with medium-to-high confidence, and the evidence trail is substantial. It's not a single indicator but a convergence of tradecraft patterns that have been observed across multiple documented North Korean operations.
The fake job interview as an initial infection vector is one of Lazarus Group's most consistent and well-documented tactics. They used it in the VMConnect campaign in 2023, in the "Operation Dream Job" campaigns dating back to 2020, and in the more recent "Operation Marstech Mayhem" tracked by SecurityScorecard. The cryptocurrency-focused targeting and social engineering narratives align with North Korea's strategic priority of funding its weapons programs through crypto theft. The token-protected C2 communication matches infrastructure patterns seen in Jade Sleet/TraderTraitor operations. The delayed activation of malicious code after building download trust mirrors the patience characteristic of state-sponsored operations.
Then there are the git commit timestamps. The commits in the campaign's repositories are timestamped in GMT+9, which is North Korea's time zone. While timestamps can be spoofed, this detail is consistent with the broader body of evidence. The multi-stage, multi-layer encryption approach to the malware, the use of GitHub as an intermediary hosting platform, and the modular campaign design that allows front-end lures to be swapped while back-end infrastructure stays constant all match the operational signature of Lazarus Group campaigns documented by Phylum, Unit 42, Veracode, Socket, and multiple other security firms.
The Bigger Picture: Lazarus and the Billion-Dollar War on Crypto
This campaign doesn't exist in a vacuum. It's one node in what has become the single largest state-sponsored crypto theft operation in history. To understand why North Korea invests this much effort in targeting individual developers, you need to see the numbers.
In February 2025, Lazarus Group executed the $1.5 billion Bybit heist, the largest cryptocurrency theft ever recorded, in which the attackers manipulated the Safe{Wallet} frontend interface to redirect funds during what appeared to be a routine cold-to-hot wallet transfer. The FBI officially attributed the attack to TraderTraitor, part of the Lazarus Group umbrella. That single theft exceeded what North Korean-linked groups stole in all of 2024. According to Chainalysis, DPRK-affiliated actors were responsible for approximately $1.3 billion in crypto theft across 47 incidents in 2024, representing 61% of all cryptocurrency stolen globally that year.
By the end of 2025, the annual total attributed to North Korean groups had climbed to an estimated $2 billion to $2.17 billion, representing between 64% and 80% of all cryptocurrency theft worldwide. Elliptic estimates total DPRK crypto theft at more than $6 billion since 2017. The United Nations has tracked dozens of incidents over a five-year period netting the regime approximately $3 billion, funds that are widely assessed to support North Korea's nuclear and ballistic missile programs.
Campaigns like Graphalgo serve this larger machine. They're not about the individual developer's MetaMask wallet (though they'll take that too). They're about establishing persistent access to development environments where cryptocurrency infrastructure is built, tested, and deployed. One compromised developer at the right company can give Lazarus Group the footholds they need for the next nine-figure heist.
Defense: How to Not Get Recruited Into a Backdoor
The modular design of Graphalgo means Lazarus can swap out the "frontend" (the fake company, the recruiter profiles, the job listings) while keeping the same backend infection infrastructure. Veltrix Capital will disappear. Something else will replace it. The package names will change. The technique won't. Here's how to protect yourself and your organization.
For Individual Developers
Never run code from a job interview on your primary development machine. Use a sandboxed VM or container with no access to your real wallets, credentials, or SSH keys. Before running any project, examine the dependency list carefully. Look up unfamiliar packages on npm or PyPI. Check their download counts, publication dates, maintainer history, and whether they're mimicking known libraries. Be skeptical of unsolicited recruiter messages, especially those tied to crypto or blockchain companies you can't independently verify. Check the company's domain registration date, leadership team, and presence on established platforms. If a recruiter disengages when you ask specific questions about the company, that's your answer.
For Security Teams
Implement Software Composition Analysis (SCA) tools that scan dependencies at install time, not just in code review. Monitor for unexpected network connections from developer machines, particularly to newly registered domains or C2 patterns. Use allowlists for approved package registries in your CI/CD pipelines where feasible. Conduct regular audits of project dependencies, watching for packages that suddenly change ownership, release patterns, or code structure after a period of benign activity. Ensure developer workstations are segmented from production infrastructure and cryptocurrency management systems.
Known IOCs
ReversingLabs has published a comprehensive list of indicators of compromise associated with the Graphalgo campaign. Key indicators to monitor include the C2 domain codepool[.]cloud, the VBS RAT payload SHA1 dbb4031e9bb8f8821a5758a6c308932b88599f18, and any npm or PyPI packages with "graph" or "big" prefixes from unknown maintainers that reference the Veltrix Capital GitHub organizations. The full IOC list is available in the ReversingLabs technical report.
# Key domains and infrastructure to block/monitor:
codepool[.]cloud # C2 server for graph-named packages
veltrixcap[.]org # Fake company domain
veltrixcapital[.]ai # Fake company domain
# VBS RAT payload hash:
SHA1: dbb4031e9bb8f8821a5758a6c308932b88599f18
# Package name patterns to flag in dependency audits:
npm: graphalgo, graphnetworkx, bigmathutils, bignumx, bigmathix
PyPI: graphalgo, bigmathix (+ 186 additional variants)Key Takeaways
- Supply chain attacks are getting more patient: Lazarus spent nine months building out this campaign, publishing clean packages first to accumulate thousands of downloads before weaponizing them. Automated scanners that only check packages at publication time will miss this pattern entirely.
- Fake job interviews are a proven infection vector: This isn't new for Lazarus. From VMConnect in 2023 to Operation Dream Job and now Graphalgo, developer recruitment lures are a consistent and effective tactic. If you're in crypto or blockchain development, treat unsolicited job offers with the same skepticism you'd apply to a phishing email.
- The modular design means this won't stop: Graphalgo's architecture separates the social engineering frontend from the malware backend. The attackers can launch new campaigns with different fake companies and package names while reusing the same RAT infrastructure. Veltrix Capital is already burned, but the next front company is likely already being built.
- This is economic warfare, not just cybercrime: With over $6 billion stolen since 2017 and an operational tempo that's only accelerating, North Korea's software supply chain attacks are a strategic revenue stream funding weapons programs. Every compromised developer environment is a potential stepping stone to the next billion-dollar heist.
- Your MetaMask extension is a target indicator: The RAT specifically checks for MetaMask. If you're a developer who manages crypto assets on the same machine where you evaluate code, you are the exact target profile for this campaign.
The Graphalgo campaign is a textbook example of what happens when nation-state resources meet open-source trust. The open-source ecosystem's greatest strength, that anyone can publish and share code, is also its greatest vulnerability when the publisher is a state-sponsored threat actor with the patience to play the long game. ReversingLabs' Zanki put it plainly: the modularity, the patience in building trust, and the complexity of the multilayered malware all point to the work of a state-sponsored actor. This campaign isn't over. Defend accordingly.