Grapho the recruitment scam that forces you to run code and steals your cryptomonedas

The computer security scene has been warning for months about suplanting campaigns linked to job offers, but the latest public report raises the deception to another category: attackers not only manufacture fake companies and attractive ads for developers, but build technical exercises designed for the victim to run code that installs malware. According to ReversingLabs, a variation of this scam - nicknamed "Graphalgo" by researchers - has been in place since at least May 2025, and is specifically directed at JavaScript and Python developers with cryptomoneda-related tasks.

The strategy is elegant and dangerous: operators create corporate identities in the block and trading sector, publish offers and technical tests on public platforms such as LinkedIn, Facebook or Reddit, and then ask candidates to download, execute or debug an example repository to demonstrate their capabilities. This seemingly innocent repository contains a dependency that points to packages published in official records (npm and PyPI). Instead of a useful code, these units function as downloads that install a trojan remote access (RAT) in the developer machine.

ReversingLabs located a wide set: 192 malicious packages associated with the campaign, distributed between npm and PyPI. In some cases the popular packages were benign in initial versions and acquired malicious functionality in later updates; as an example, they mention a package with thousands of downloads that became hostile in version 1.1.0 and shortly after it was marked "deprecated," a maneuver to make tracking difficult.

The name Graphalgo comes from the recurrence of the "graph" chain in many of the packages, although the attackers varied the name from December 2025 to publish modules with "big" on their behalf. GitHub repositories that serve as a facade are usually clean and normal at first sight; the infection comes thanks to external dependencies, which complicates the detection for a candidate who only wants to demonstrate his technical capacity. ReversingLabs also documents the use of organizations in GitHub to group projects, another sign that the attacker seeks to give a legitimate and collaborative appearance.

The malware that is delivered through these dependencies has typical capabilities of a backdoor: list processes, run remote commands according to command and control server instructions (C2), exfilter files and download additional loads. A revealing detail is that the code inspects the presence of cryptoliteer extensions such as MetaMask in the user's browser, which clearly points to a monetary objective: to steal digital assets or associated credentials.

The campaign architecture shows calculated modularity: malicious packages act as light downloads that then bring a more complete RAT. This modularity makes it easier for the operation to reactivate even if some components are detected and removed. Researchers found variants of malware written in JavaScript, Python and even VBS, looking to cover both modern development environments and Windows machines with different configurations.

In its attribution, ReversingLabs considers that the Lazarus group - linked to North Korea - is the main suspect with a medium to high confidence. The reasoning is based on several elements: the choice of the target (actors linked to cryptomonedas), the use of encoding challenges as an infection vector - technique observed in previous campaigns -, the delayed activation of the malicious code in some packages and metadata such as the time stamps of commitments in GMT + 9. For those who want to compare context and background on this actor, organizations like MITRE maintain technical profiles of recognized threat groups: MITRE ATT & CK - Lazarus.

The most disturbing aspect is the ease with which a distracted developer can become a victim: running a code test on a computer with extensive permissions or with exposed credentials can be enough to get back doors installed and lose control of accounts and keys. ReversingLabs even contacted several programmers who had fallen into the trap to better understand the recruitment flow and code execution. The commitment indicators (IoC) and technical details are available in the researchers' original report for those who need to verify specific packages or artifacts: ReversingLabs report.

From the point of view of risk management and digital hygiene, the Graphalgo case again highlights several practical reflections for professionals and teams who consume third-party dependencies. It is not enough to trust that a package is in an official register; it is necessary to review the supply chain, isolate the execution of unknown code and maintain strict policies on privileges and tokens. GitHub and registration platforms have published guides and tools to strengthen the security of supply chain software: a useful reading is GitHub's documentation on how to protect this supply chain ( GitHub Security Guide), while npm and PyPI maintain pages with safety policies and recommendations for package authors and consumers ( Safety in npm, Security in PyPI).

If you think you could have installed any of the mentioned packages or run code related to a suspicious job offer, the actions to take should be immediate: revoke any token, change passwords and keys, review access to exchange accounts or wallet, and in many cases reinstall the system from scratch to ensure complete malware removal. ReversingLabs explicitly recommends these measures and publishes IoC to facilitate mediation.

Beyond technical urgency, Graphalgo is a reminder that social engineering has learned to exploit modern collaborative vectors: a well-designed technical test not only measures skills, but can become a trap. For developers and contracting managers, the lesson is clear: to maintain interview processes that do not require performing artifacts in production environments, to prefer exercises in isolated environments and to review units with software supply chain analysis tools before accepting any third-party code.

In a picture where state actors have shown a persistent inclination to attack digital assets, especially in the critical world, the combination of identity supplanting, apparently legitimate packages and modular persistence forms a sophisticated threat. Keeping informed, applying good isolation and unit review practices and following the platform guides is now more necessary than ever in order not to become the entry route for a broader attack.