Ethical Hacking News
A fresh set of malicious packages has been discovered across npm and PyPI ecosystems, linked to a North Korea-linked hacking group known as the Lazarus Group. The packages are designed to steal sensitive data and conduct financial theft, using a sophisticated campaign approach that includes setting up fake companies and recruiters. This attack highlights the ongoing threats posed by state-sponsored actors in exploiting public repositories for their malicious purposes.
The Lazarus Group, a North Korea-linked hacking group, has been linked to malicious packages in npm and PyPI ecosystems. The malicious packages are designed to deploy a remote access trojan (RAT) that fetches and executes commands from an external server. The campaign uses token-based mechanism for command-and-control communication to protect against unauthorized requests. North Korean state-sponsored threat actors continue to poison open-source ecosystems with malicious packages in hopes of stealing sensitive data and conducting financial theft. A recently discovered npm package, "duer-js," harbors a Windows information stealer called Bada Stealer that can gather sensitive user data.
The Lazarus Group, a North Korea-linked hacking group, has been linked to a fresh set of malicious packages across the npm and PyPI repository ecosystems. The malicious packages have been codenamed "graphalgo" in reference to the first package published in the npm registry. This coordinated campaign is assessed to be active since May 2025.
According to ReversingLabs researcher Karlo Zanki, the campaign begins with establishing a fake company like Veltrix Capital in the blockchain and cryptocurrency trading space, followed by setting up the necessary digital real estate to create an illusion of legitimacy. The attackers then approach developers via social platforms such as LinkedIn and Facebook or through job offerings on forums like Reddit.
One of the identified npm packages, bigmathutils, attracted over 10,000 downloads after the first, non-malicious version was published, and before the second version containing a malicious payload was released. The names of the packages are listed below:
npm
graphalgo
graphorithm
graphstruct
graphlibcore
netstruct
graphnetworkx
terminalcolor256
graphkitx
graphchain
graphflux
graphorbit
graphnet
graphhub
terminal-kleur
graphrix
bignumx
bignumberx
bignumex
bigmathex
bigmathlib
bigmathutils
graphlink
bigmathix
graphflowx
PyPI
graphalgo
graphex
graphlibx
graphdict
graphflux
graphnode
graphsync
bigpyx
bignum
bigmathex
bigmathix
bigmathutils
The malicious packages ultimately act as a conduit to deploy a remote access trojan (RAT) that periodically fetches and executes commands from an external server. The RAT supports various commands to gather system information, enumerate files and directories, list running processes, create folders, rename files, delete files, and upload/download files.
Interestingly, the command-and-control (C2) communication is protected by a token-based mechanism to ensure that only requests with a valid token are accepted. This approach was previously observed in 2023 campaigns linked to a North Korean hacking group called Jade Sleet, which is also known as TraderTraitor or UNC4899.
The findings show that North Korean state-sponsored threat actors continue to poison open-source ecosystems with malicious packages in hopes of stealing sensitive data and conducting financial theft. The attackers use a sophisticated campaign approach, including setting up fake companies and recruiters to build trust among their targets. The modularity, long-lived nature, patience, and complexity of the multilayered and encrypted malware point to the work of a state-sponsored threat actor.
Furthermore, JFrog has uncovered another malicious npm package called "duer-js" published by a user named "luizaearlyx." While the library claims to be a utility to "make the console window more visible," it harbors a Windows information stealer called Bada Stealer. The Bada Stealer is capable of gathering Discord tokens, passwords, cookies, and autofill data from Google Chrome, Microsoft Edge, Brave, Opera, and Yandex Browser, cryptocurrency wallet details, and system information.
The Bada Stealer exfiltrates the gathered data to a Discord webhook, as well as the Gofile file storage service as a backup. This malicious package demonstrates the continued threat posed by North Korean state-sponsored actors in exploiting open-source ecosystems for financial gain.
In conclusion, the Lazarus Group's recent campaign to plant malicious packages in npm and PyPI ecosystems highlights the ongoing threats posed by state-sponsored actors in stealing sensitive data and conducting financial theft. The sophistication and complexity of this campaign demonstrate the continued expertise of these actors in leveraging public repositories for their malicious purposes.
Related Information:
https://www.ethicalhackingnews.com/articles/Lazarus-Campaign-Plants-Malicious-Packages-in-npm-and-PyPI-Ecosystems-Steals-Sensitive-Data-and-Conducts-Financial-Theft-ehn.shtml
https://thehackernews.com/2026/02/lazarus-campaign-plants-malicious.html
https://unit42.paloaltonetworks.com/slow-pisces-new-custom-malware/
https://github.blog/security/vulnerability-research/security-alert-social-engineering-campaign-targets-technology-industry-employees/
https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-108a
https://www.fbi.gov/news/press-releases/fbi-dc3-and-npa-identification-of-north-korean-cyber-actors-tracked-as-tradertraitor-responsible-for-theft-of-308-million-from-bitcoindmmcom
https://thehackernews.com/2025/07/n-korean-hackers-used-job-lures-cloud.html
https://cloud.google.com/blog/topics/threat-intelligence/north-korea-supply-chain/
https://cybersecuritynews.com/sophisticated-duer-js-npm-package-distributes-bada-stealer-malware/
https://research.jfrog.com/post/duer-js-malicious-package/
https://en.wikipedia.org/wiki/Lazarus_Group
https://www.picussecurity.com/resource/blog/lazarus-group-apt38-explained-timeline-ttps-and-major-attacks
Published: Wed Feb 18 16:59:16 2026 by llama3.2 3B Q4_K_M
