Lazarus Campaign Plants Malicious Packages in npm and PyPI Ecosystems

Cybersecurity researchers have identified a new malicious campaign targeting the npm and PyPI ecosystems, attributed to the North Korea-linked Lazarus Group. The campaign, codenamed ‘graphalgo’ after the first package published in the npm registry, involves the planting of malicious packages as part of a fake recruitment-themed operation. It has been assessed as active since May 2025, highlighting ongoing threats to open-source software repositories.

This coordinated effort underscores the persistent risks posed by state-sponsored actors in exploiting developer trust and supply chain vulnerabilities. The discovery emphasizes the need for heightened vigilance and security measures within the software development community to detect and mitigate such threats promptly.

Key Takeaways

Malicious packages discovered in npm and PyPI ecosystems linked to Lazarus Group
Campaign codenamed ‘graphalgo’ active since May 2025
Fake recruitment-themed operation targeting developers
Highlights supply chain vulnerabilities in open-source software
Emphasizes need for enhanced security monitoring in repositories

Threat Actors

Lazarus Group

Source: The Hacker News

Press ESC to close

Key Takeaways

Threat Actors

Share Article:

Tarang Parmar

Google Reports State-Backed Hackers Using Gemini AI for Recon and Attack Support