Lazarus Group 'Graphalgo' Fake-Recruiter npm/PyPI Campaign
Summary
The 'graphalgo' campaign is a North Korean state-sponsored software supply-chain operation attributed to the Lazarus Group, active since at least May 2025 and publicly disclosed in February 2026. Threat actors impersonate cryptocurrency-sector recruiters using fabricated companies — most notably 'Veltrix Capital' — to deliver coding-assessment repositories seeded with malicious npm and PyPI packages that install a remote-access trojan (RAT) targeting developer systems and cryptocurrency wallets. By April 2026 the campaign had respawned under new personas including 'Blockmerce' and 'Bridgers Finance', with operatives registering a real U.S. LLC to enhance credibility.
Connected Entities
1 entities · 10 linked investigations- + 3 more
Timeline(13 events)
2025-04-04
Domain veltrixcap[.]org registered, establishing fake Veltrix Capital infrastructure.
ReversingLabs — Inside the 'graphalgo' campaign2025-05-02
First malicious npm package, graphalgo version 2.2.6, published to the npm registry.
ReversingLabs — Inside the 'graphalgo' campaign2025-05-01
Alleged start of recruitment outreach via LinkedIn, Facebook, and Reddit under Veltrix Capital persona.
The Hacker News2025-06-13
First malicious PyPI package, graphalgo, published to the Python Package Index.
ReversingLabs — Inside the 'graphalgo' campaign2025-08-01
Blocmerce LLC registered as a real Florida LLC with fake CEO 'Alexandre Miller', pre-positioning for the campaign's next persona phase.
HackRead — GraphAlgo Scam: Lazarus Hackers Register Real US LLCs2025-09-21
Backup domain veltrixcapital[.]ai registered.
ReversingLabs — Fake recruiter campaign targets crypto developers with RAT2025-11-17
'Big'-prefixed npm package wave begins, starting with bignumx and bignum.
ReversingLabs — Inside the 'graphalgo' campaign2026-01-01
bigmathutils accumulates over 4,200 weekly downloads; no malicious payload present in published versions yet.
ReversingLabs — Inside the 'graphalgo' campaign2026-02-04
VBS payload variant identified by researchers.
ReversingLabs — Fake recruiter campaign targets crypto developers with RAT2026-02-11
Malicious bigmathutils version 1.1.0 published; package had exceeded 10,000 cumulative downloads. Malicious version subsequently removed and package marked deprecated.
ReversingLabs — Fake recruiter campaign targets crypto developers with RAT2026-02-15
ReversingLabs publicly discloses the graphalgo campaign; widespread coverage by The Hacker News, Security Affairs, GBHackers, SC Media, and others.
Security Affairs2026-04-01
ReversingLabs documents campaign respawn under Blockmerce and Bridgers Finance personas, with new C2 domain huvaret[.]art and shift to GitHub release artifact delivery.
ReversingLabs — Graphalgo campaign respawnedDecision Log
- hash: 2eqqBHujYKL3gGS4JjNip7SqejcNnCPJK8eo9BGNw2Z9
This investigation is cryptographically anchored to the Solana blockchain and source URLs are archived via the Internet Archive.
model: claude-code-investigator
generated: 6/8/2026, 1:21:52 AM
last updated: 6/8/2026, 1:21:57 AM
avoid.net — verified advice for a post-truth world