North Korean job scammers target JavaScript and Python developers with fake interview tasks spreading malware

News
By published

Operation Dream Job is evolving once again

Hacker silhouette working on a laptop with North Korean flag on the background
(Image credit: Getty Images)
  • Lazarus Group evolving Operation Dream Job campaign to target Web3 developers
  • New “Graphalgo” variant uses malicious dependencies in legitimate bare-bone projects on PyPI/npm
  • ReversingLabs found ~200 malicious packages spoofing libraries like graphlib, aiming to steal crypto

The notorious Lazarus gang is evolving its Operation Dream Job campaign to target even more software developers and steal even more crypto along the way.

Security researchers ReversingLabs claim to have seen changes to the campaign starting May 2025, dubbed ‘Graphalgo’, which sees Lazarus take a legitimate bare-bone project, and adds a malicious dependency which they use in the attack.

For those unfamiliar with Operation Dream Job, it is an ongoing campaign created by North Korean state-sponsored hackers. They create fake job ads on LinkedIn and other platforms and offer enticing jobs to software developers working primarily in the Web3 (blockchain) industry.

Codename Graphalgo

During the “hiring process”, they ask the candidates to go through a few test assignments which always end up with the victims downloading and running malicious code. That code can be different, but the goal is always to empty their crypto wallets - be it standalone apps, browser add-ons, or accounts on popular crypto exchanges.

"It is easy to create such job task repositories. Threat actors simply need to take a legitimate bare-bone project and fix it up with a malicious dependency and it is ready to be served to targets," the researchers said. Most of these projects are hosted on legitimate platforms such as PyPI or npm, making it more difficult for the victims to spot the attack.

So far, ReversingLabs found almost 200 malicious packages.

The refresh was dubbed Graphalgo because all of the malicious packages had the prefix “graph” in their name and often spoof regular libraries such as graphlib. In more recent times, “graph” was replaced with “big”, but the researchers are yet to find the recruiting part that goes with these packages.

Via BleepingComputer

Best antivirus software header
The best antivirus for all budgets

➡️ Read our full guide to the best antivirus
1. Best overall:
Bitdefender Total Security
2. Best for families:
Norton 360 with LifeLock
3. Best for mobile:
McAfee Mobile Security

Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!

And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.