Audit log

Every state-changing event for Lazarus Group 'Graphalgo' Fake-Recruiter npm/PyPI Campaign: moderation decisions on community submissions, plus corrections and updates from the news pipeline. URL-based decisions carry three independent witnesses — the original source, an Internet Archive snapshot taken at submission time, and a Solana memo signed by our publicly-disclosed publisher key.

1. #1publishby system:backfill

   2026-06-08 01:21:57Z
   Score: ? → ? (no score change)
   anchoranchored

   chain

   ●mainnet-betaslot 425,010,356

   sig

   3dWs3vbGu23Y…ZpBjN99qcopyexplorer ↗

   hash

   2eqqBHujYKL3…9BGNw2Z9copysha256 → base58

   verifying row…full verify ↗

   canonical bytes (25947 B) ▸

   {"actor":"system:backfill","investigation_id":"dbd7d8a8-5677-4df6-93ab-f3b0bbbdca65","kind":"publish","page_slug":"lazarus-group-graphalgo-fake-recruiter-npm-pypi-campaign","published_at":"2026-06-08T01:21:57.714Z","sequence_num":1,"snapshot":{"content_type":"investigation","entity_name":"Lazarus Group 'Graphalgo' Fake-Recruiter npm/PyPI Campaign","sections":[{"content":"The graphalgo campaign is named after the first malicious npm package published in the operation, graphalgo version 2.2.6, which appeared on May 2, 2025. Cybersecurity firm ReversingLabs identified and disclosed the campaign in February 2026, attributing it to North Korea's Lazarus Group (also tracked as APT38, TraderTraitor, Jade Sleet, and UNC4899). Attribution rests on multiple indicators: Git commit timestamps consistently aligned with GMT+9 (North Korea Standard Time), attack methodology mirroring the 2023 VMConnect and Jade Sleet PyPI/GitHub campaigns, a shared token-protected command-and-control (C2) communication technique previously documented only in North Korean operations, and targeting patterns focused exclusively on cryptocurrency developers and wallets. No formal U.S. government attribution advisory specific to graphalgo has been published as of June 2026, though Lazarus Group as an entity was designated by the U.S. Treasury OFAC and the FBI has previously attributed multiple Lazarus operations by name. The campaign is assessed as ongoing, with a respawned variant documented by ReversingLabs in April 2026.","heading":"Campaign Overview and Attribution","severity":"critical","sources":[{"credibility":2,"name":"Inside the 'graphalgo' fake crypto developer recruitment campaign — ReversingLabs","type":"research","url":"https://www.reversinglabs.com/blog/inside-graphalgo"},{"credibility":2,"name":"Lazarus Campaign Plants Malicious Packages in npm and PyPI Ecosystems — The Hacker News","type":"news_article","url":"https://thehackernews.com/2026/02/lazarus-campaign-plants-malicious.html"},{"credibility":1,"name":"Lazarus Group — OFAC Sanctions Entry","type":"regulatory","url":"https://sanctionssearch.ofac.treas.gov/Details.aspx?id=27307"},{"credibility":2,"name":"Malicious npm and PyPI packages linked to Lazarus APT fake recruiter campaign — Security Affairs","type":"news_article","url":"https://securityaffairs.com/188009/apt/malicious-npm-and-pypi-packages-llinked-to-lazarus-apt-fake-recruiter-campaign.html"}]},{"content":"The primary social-engineering persona used in the campaign's first phase is 'Veltrix Capital', a fabricated blockchain and cryptocurrency trading firm. The domain veltrixcap[.]org was registered on April 4, 2025, approximately one month before the first malicious package appeared. A backup domain, veltrixcapital[.]ai, was registered on September 21, 2025, likely to provide continuity when the first domain risked exposure. Two GitHub organizations — veltrix-capital and veltrixcapital — were created to host alleged interview repositories. Published repositories included projects named 'test-url-monitoring' and 'test-devops-orchestrator' in both Python and JavaScript, which appeared to be routine DevOps coding challenges but silently pulled malicious npm or PyPI dependencies upon execution. The company's website carried AI-generated corporate vision and mission content. ReversingLabs researchers noted that when one persona set risks exposure, actors spin up a new company with fresh domains and AI-generated content, a pattern confirmed when Veltrix Capital was replaced by subsequent personas.","heading":"Fake Company Infrastructure: Veltrix Capital","severity":"critical","sources":[{"credibility":2,"name":"Fake recruiter campaign targets crypto developers with RAT — ReversingLabs","type":"research","url":"https://www.reversinglabs.com/blog/fake-recruiter-campaign-crypto-devs"},{"credibility":2,"name":"Lazarus Group's 'Graphalgo' Fake Recruiter Campaign Targets GitHub, npm, and PyPI — GBHackers","type":"news_article","url":"https://gbhackers.com/lazarus-groups-graphalgo/"},{"credibility":2,"name":"Lazarus Campaign Plants Malicious Packages in npm and PyPI Ecosystems — The Hacker News","type":"news_article","url":"https://thehackernews.com/2026/02/lazarus-campaign-plants-malicious.html"}]},{"content":"ReversingLabs researchers identified a total of 192 malicious packages spread across npm and PyPI in two naming waves. The first wave, active from May 2025, used 'graph'-prefixed names that mimicked the legitimate graphlib npm package (2.7 million weekly downloads) and the Python networkx library. Confirmed npm packages in this wave include: graphalgo, graphorithm, graphstruct, graphlibcore, graphnetworkx, netstruct, terminalcolor256, graphkitx, graphchain, graphflux, graphorbit, graphnet, graphhub, terminal-kleur, graphrix, graphlink, and graphflowx, among others across 106 total npm packages. Corresponding PyPI packages include: graphalgo, graphex, graphlibx, graphdict, graphflux, graphnode, graphsync, and others across 86 total PyPI packages. The first PyPI package appeared on June 13, 2025. A second wave, beginning November 17, 2025 on npm and December 9, 2025 on PyPI, used 'big'-prefixed names, including bigmathutils, bigmathex, bigmathlib, bignumx, bignumberx, bignumex, bigmathix, bigpyx, and bignum. The package bigmathutils accumulated more than 10,000 downloads after an initially benign version established trust; the malicious payload version (v1.1.0) was published on February 11, 2026, then quickly removed and the package marked deprecated. All packages function as first-stage loaders.","heading":"Malicious Package Inventory","severity":"critical","sources":[{"credibility":2,"name":"Inside the 'graphalgo' fake crypto developer recruitment campaign — ReversingLabs","type":"research","url":"https://www.reversinglabs.com/blog/inside-graphalgo"},{"credibility":2,"name":"Fake recruiter campaign targets crypto developers with RAT — ReversingLabs","type":"research","url":"https://www.reversinglabs.com/blog/fake-recruiter-campaign-crypto-devs"},{"credibility":2,"name":"Lazarus Group's 'Graphalgo' Fake Recruiter Campaign Exploits GitHub, npm, and PyPI — CyberSecurityNews","type":"news_article","url":"https://cybersecuritynews.com/lazarus-groups-graphalgo-fake-recruiter-campaign/"},{"credibility":2,"name":"graphalgo@2.2.6 issues — ReversingLabs Spectra Assure Community","type":"research","url":"https://secure.software/npm/packages/graphalgo/issues/2.2.6"}]},{"content":"Malicious packages operate as first-stage loaders employing a three-stage delivery chain. In the first stage, the npm or PyPI package executes a post-install script that downloads an obfuscated second-stage payload. The second stage was hosted on GitHub at a raw content URL under the account 'johns92' (hxxps://raw.githubusercontent[.]com/johns92/blog_app/refs/heads/main/server/.env.example). The second stage decrypts and executes a third-stage remote-access trojan (RAT). Decryption uses a key derived from constructor arguments: when graph objects are instantiated with parameters such as 'weighted:true, directed:true', the decryption key 'weighted-directed-graph' is generated — a deliberate obfuscation technique to prevent sandbox detection. Following execution, files are deleted to remove forensic evidence. The final RAT payload communicates with C2 servers at codepool[.]cloud and aurevian[.]cloud via a token-based authentication mechanism that restricts commands to registered infected hosts — a technique documented as uncommon outside North Korean threat actor tooling. RAT capabilities include: file download and upload, directory and process enumeration, arbitrary command execution from the C2 server, file creation/rename/delete operations, and targeted detection of the MetaMask browser extension, indicating cryptocurrency wallet theft as a primary objective. A VBS payload variant was identified on February 4, 2026.","heading":"Malware Technical Analysis","severity":"critical","sources":[{"credibility":2,"name":"Inside the 'graphalgo' fake crypto developer recruitment campaign — ReversingLabs","type":"research","url":"https://www.reversinglabs.com/blog/inside-graphalgo"},{"credibility":2,"name":"Fake recruiter campaign targets crypto developers with RAT — ReversingLabs","type":"research","url":"https://www.reversinglabs.com/blog/fake-recruiter-campaign-crypto-devs"},{"credibility":2,"name":"Lazarus Campaign Plants Malicious Packages in npm and PyPI Ecosystems — The Hacker News","type":"news_article","url":"https://thehackernews.com/2026/02/lazarus-campaign-plants-malicious.html"}]},{"content":"Developers are targeted via LinkedIn, Facebook groups, and Reddit forums with offers for DevOps and blockchain developer positions. The recruitment pipeline is designed to appear indistinguishable from a legitimate hiring process: initial contact presents a professional job description tied to blockchain or cryptocurrency exchange operations, interested candidates are directed to a GitHub repository hosted under the fake company's organization, and the repository contains a coding 'test task' that, upon execution, triggers the malicious dependency chain. The approach exploits developers' familiarity with running test tasks from unfamiliar codebases as a standard part of technical interviews. The campaign deliberately approached JavaScript and Python developers, the primary audiences for npm and PyPI packages, maximizing the relevance of the social engineering narrative.","heading":"Social Engineering and Recruitment Tactics","severity":"high","sources":[{"credibility":2,"name":"Fake recruiter campaign targets crypto developers with RAT — ReversingLabs","type":"research","url":"https://www.reversinglabs.com/blog/fake-recruiter-campaign-crypto-devs"},{"credibility":2,"name":"Lazarus Group's 'Graphalgo' Fake Recruiter Campaign Targets GitHub, npm, and PyPI — GBHackers","type":"news_article","url":"https://gbhackers.com/lazarus-groups-graphalgo/"},{"credibility":3,"name":"Fake recruiters weaponize job offers to target cryptocurrency developers — Andrea Fortuna","type":"news_article","url":"https://andreafortuna.org/2026/02/17/fake-recruiter-lazarus-campaign"}]},{"content":"Approximately two months after the February 2026 disclosure, ReversingLabs documented the campaign respawning under new personas. Most significantly, threat actors registered a real Florida LLC named 'Blocmerce LLC' in August 2025 under a fake CEO named 'Alexandre Miller', with physical addresses belonging to unrelated third parties. This marks an escalation in legitimacy theater: prior Lazarus recruiter operations used fabricated web presences, but the registration of actual corporate entities adds a layer of legal-record credibility to the social engineering narrative. Additional personas included 'Bridgers Finance' (described as the central hub for ongoing frontend operations) and two accounts impersonating the legitimate SWFT Blockchain organization. Fake employee identities 'Dmytro Buryma' and 'Karina Lesova' appeared in both LLC filings and rewritten Git histories. The respawned campaign also introduced a new technique: instead of publishing malicious packages directly to npm or PyPI, actors embedded malicious dependencies as GitHub release artifacts referenced in package-lock.json files, effectively evading heightened monitoring of official package registries. New package names deployed in this phase include graph-dynamic, graphbase-js, graphcore-js, and graphlib-js. The new C2 infrastructure uses the domain huvaret[.]art, with RAT delivery at huvaret[.]art/public/index.js and a Sepolia testnet smart contract (0x7526aCdCF0B22f9B8F790CF069E5dD16CC414B0e) used for logging, suggesting experimentation with blockchain-based C2 persistence.","heading":"Campaign Respawn: Blockmerce, Bridgers Finance, and U.S. LLC Registration","severity":"critical","sources":[{"credibility":2,"name":"Graphalgo fake recruiter test campaign respawned — ReversingLabs","type":"research","url":"https://www.reversinglabs.com/blog/graphalgo-campaign-respawned"},{"credibility":2,"name":"GraphAlgo Scam: Lazarus Hackers Register Real US LLCs to Spread Malware — HackRead","type":"news_article","url":"https://hackread.com/graphalgo-scam-lazarus-hackers-us-llcs-malware/"}]},{"content":"The graphalgo campaign is assessed by ReversingLabs as a fresh branch of a long-running Lazarus Group developer-targeting operation. The most direct precedent is the VMConnect campaign (2023), which also abused PyPI and GitHub to deliver multi-stage malware through fake recruiter scenarios. The Jade Sleet/TraderTraitor/UNC4899 cluster — overlapping Lazarus subgroups tracked by various vendors — pioneered the token-protected C2 technique that graphalgo reuses. Lazarus Group has been designated by the U.S. Treasury OFAC and is assessed by the U.S. government to be operated by North Korea's Reconnaissance General Bureau (RGB) to generate foreign currency revenue for the DPRK's weapons programs. The group has been linked to over $5 billion in cryptocurrency theft between 2021 and 2025, including the February 2025 Bybit hack ($1.5 billion). On March 12, 2026, OFAC sanctioned six individuals and two entities connected to North Korean IT worker fraud schemes that generated approximately $800 million in 2024, reflecting the broader financial context in which graphalgo operates.","heading":"Precedent Campaigns and Lazarus Group Context","severity":"critical","sources":[{"credibility":1,"name":"Lazarus Group — OFAC Sanctions Entry","type":"regulatory","url":"https://sanctionssearch.ofac.treas.gov/Details.aspx?id=27307"},{"credibility":2,"name":"OFAC Targets DPRK IT Workers Using Crypto — Chainalysis","type":"news_article","url":"https://www.chainalysis.com/blog/ofac-targets-north-korean-it-workers-crypto-march-2026/"},{"credibility":1,"name":"Treasury Sanctions Individuals Laundering Cryptocurrency for Lazarus Group — U.S. Treasury","type":"regulatory","url":"https://home.treasury.gov/news/press-releases/sm924"},{"credibility":2,"name":"Inside the 'graphalgo' fake crypto developer recruitment campaign — ReversingLabs","type":"research","url":"https://www.reversinglabs.com/blog/inside-graphalgo"},{"credibility":2,"name":"Lazarus Group Targets Developers Through NPM Packages — SecurityScorecard","type":"research","url":"https://securityscorecard.com/blog/lazarus-group-targets-developers-through-npm-packages-and-supply-chain-attacks/"}]},{"content":"The following infrastructure has been publicly documented in connection with this campaign. Domains: veltrixcap[.]org (registered April 4, 2025), veltrixcapital[.]ai (registered September 21, 2025), codepool[.]cloud (primary C2), aurevian[.]cloud (secondary C2), huvaret[.]art (respawned campaign C2). GitHub organizations: veltrix-capital, veltrixcapital, swft-blockchain (typosquatting SWFT Blockchain), Blockmerce. GitHub staging account: johns92 (used to host second-stage payload at raw.githubusercontent.com). Notable malicious packages (npm): graphalgo, bigmathutils (v1.1.0), graphnetworkx, graph-dynamic, graphbase-js, graphcore-js, graphlib-js, and approximately 100 additional graph- and big-prefixed variants. Notable malicious packages (PyPI): graphalgo, bigmathutils, bigmathix, graphdict, graphflux, graphnode, graphsync, and approximately 80 additional variants. Blockchain: Sepolia testnet contract 0x7526aCdCF0B22f9B8F790CF069E5dD16CC414B0e, creator wallet 0x87BF60FB6657d5E5CD425E36FF18aa7Bb5a8FcF4. Typosquatting example: fake npm account 'Ijharb' (capital I replacing lowercase L in 'ljharb', the account of developer Jordan Harband) distributing malicious 'side-channel-weakmap' package.","heading":"Known Infrastructure and Indicators of Compromise","severity":"high","sources":[{"credibility":2,"name":"Inside the 'graphalgo' fake crypto developer recruitment campaign — ReversingLabs","type":"research","url":"https://www.reversinglabs.com/blog/inside-graphalgo"},{"credibility":2,"name":"Graphalgo fake recruiter test campaign respawned — ReversingLabs","type":"research","url":"https://www.reversinglabs.com/blog/graphalgo-campaign-respawned"},{"credibility":2,"name":"GraphAlgo Scam: Lazarus Hackers Register Real US LLCs to Spread Malware — HackRead","type":"news_article","url":"https://hackread.com/graphalgo-scam-lazarus-hackers-us-llcs-malware/"}]},{"content":"The campaign's confirmed primary targets are JavaScript and Python developers working in the blockchain and cryptocurrency sectors, particularly those actively seeking employment. The MetaMask detection in the RAT payload indicates a secondary objective of cryptocurrency wallet theft from compromised developer machines, consistent with Lazarus Group's documented pattern of targeting high-value crypto developer workstations. The bigmathutils package accumulated over 10,000 downloads before weaponization, indicating a meaningful potential victim pool even if only a fraction ran the malicious version. Developers who ran npm install or pip install of the listed packages between May 2025 and the packages' removal dates should treat their systems as potentially compromised. The campaign's evolution to GitHub release artifacts in the respawned phase means audit of package-lock.json files is necessary in addition to direct package manifest review.","heading":"Affected Populations and Risk Assessment","severity":"high","sources":[{"credibility":2,"name":"Lazarus Campaign Plants Malicious Packages in npm and PyPI Ecosystems — The Hacker News","type":"news_article","url":"https://thehackernews.com/2026/02/lazarus-campaign-plants-malicious.html"},{"credibility":2,"name":"Fake recruiter campaign targets crypto developers with RAT — ReversingLabs","type":"research","url":"https://www.reversinglabs.com/blog/fake-recruiter-campaign-crypto-devs"},{"credibility":2,"name":"Lazarus Group exploits npm and PyPI with fake recruitment campaign — SC Media","type":"news_article","url":"https://www.scworld.com/brief/lazarus-group-exploits-npm-and-pypi-with-fake-recruitment-campaign"}]}],"sources_used":[{"credibility":2,"name":"Inside the 'graphalgo' fake crypto developer recruitment campaign — ReversingLabs","type":"research","url":"https://www.reversinglabs.com/blog/inside-graphalgo"},{"credibility":2,"name":"Fake recruiter campaign targets crypto developers with RAT — ReversingLabs","type":"research","url":"https://www.reversinglabs.com/blog/fake-recruiter-campaign-crypto-devs"},{"credibility":2,"name":"Graphalgo fake recruiter test campaign respawned — ReversingLabs","type":"research","url":"https://www.reversinglabs.com/blog/graphalgo-campaign-respawned"},{"credibility":2,"name":"Lazarus Campaign Plants Malicious Packages in npm and PyPI Ecosystems — The Hacker News","type":"news_article","url":"https://thehackernews.com/2026/02/lazarus-campaign-plants-malicious.html"},{"credibility":2,"name":"Malicious npm and PyPI packages linked to Lazarus APT fake recruiter campaign — Security Affairs","type":"news_article","url":"https://securityaffairs.com/188009/apt/malicious-npm-and-pypi-packages-llinked-to-lazarus-apt-fake-recruiter-campaign.html"},{"credibility":2,"name":"Lazarus Group's 'Graphalgo' Fake Recruiter Campaign Targets GitHub, npm, and PyPI — GBHackers","type":"news_article","url":"https://gbhackers.com/lazarus-groups-graphalgo/"},{"credibility":2,"name":"Lazarus Group's 'Graphalgo' Fake Recruiter Campaign Exploits GitHub, npm, and PyPI — CyberSecurityNews","type":"news_article","url":"https://cybersecuritynews.com/lazarus-groups-graphalgo-fake-recruiter-campaign/"},{"credibility":2,"name":"GraphAlgo Scam: Lazarus Hackers Register Real US LLCs to Spread Malware — HackRead","type":"news_article","url":"https://hackread.com/graphalgo-scam-lazarus-hackers-us-llcs-malware/"},{"credibility":2,"name":"Lazarus Group exploits npm and PyPI with fake recruitment campaign — SC Media","type":"news_article","url":"https://www.scworld.com/brief/lazarus-group-exploits-npm-and-pypi-with-fake-recruitment-campaign"},{"credibility":2,"name":"Lazarus Group Uses GitHub, npm, PyPI for 'Graphalgo' Malware Campaign — CyberPress","type":"news_article","url":"https://cyberpress.org/lazarus-group-distributes-graphalgo-malwar/"},{"credibility":2,"name":"Lazarus Group Targets npm, PyPI, and GitHub Developers — Rescana","type":"news_article","url":"https://www.rescana.com/post/lazarus-group-targets-npm-pypi-and-github-developers-with-fake-job-recruiter-malware-campaign"},{"credibility":1,"name":"Lazarus Group — OFAC Sanctions Entry","type":"regulatory","url":"https://sanctionssearch.ofac.treas.gov/Details.aspx?id=27307"},{"credibility":1,"name":"Treasury Sanctions Individuals Laundering Cryptocurrency for Lazarus Group — U.S. Treasury","type":"regulatory","url":"https://home.treasury.gov/news/press-releases/sm924"},{"credibility":2,"name":"OFAC Targets DPRK IT Workers Using Crypto — Chainalysis","type":"news_article","url":"https://www.chainalysis.com/blog/ofac-targets-north-korean-it-workers-crypto-march-2026/"},{"credibility":2,"name":"graphalgo@2.2.6 issues — ReversingLabs Spectra Assure Community","type":"research","url":"https://secure.software/npm/packages/graphalgo/issues/2.2.6"},{"credibility":3,"name":"Fake recruiters weaponize job offers to target cryptocurrency developers — Andrea Fortuna","type":"news_article","url":"https://andreafortuna.org/2026/02/17/fake-recruiter-lazarus-campaign"},{"credibility":2,"name":"Lazarus Group Targets Developers Through NPM Packages and Supply Chain Attacks — SecurityScorecard","type":"research","url":"https://securityscorecard.com/blog/lazarus-group-targets-developers-through-npm-packages-and-supply-chain-attacks/"}],"summary":"The 'graphalgo' campaign is a North Korean state-sponsored software supply-chain operation attributed to the Lazarus Group, active since at least May 2025 and publicly disclosed in February 2026. Threat actors impersonate cryptocurrency-sector recruiters using fabricated companies — most notably 'Veltrix Capital' — to deliver coding-assessment repositories seeded with malicious npm and PyPI packages that install a remote-access trojan (RAT) targeting developer systems and cryptocurrency wallets. By April 2026 the campaign had respawned under new personas including 'Blockmerce' and 'Bridgers Finance', with operatives registering a real U.S. LLC to enhance credibility.","timeline":[{"date":"2025-04-04","event":"Domain veltrixcap[.]org registered, establishing fake Veltrix Capital infrastructure.","source":"ReversingLabs — Inside the 'graphalgo' campaign","source_url":"https://www.reversinglabs.com/blog/inside-graphalgo"},{"date":"2025-05-02","event":"First malicious npm package, graphalgo version 2.2.6, published to the npm registry.","source":"ReversingLabs — Inside the 'graphalgo' campaign","source_url":"https://www.reversinglabs.com/blog/inside-graphalgo"},{"date":"2025-05-01","event":"Alleged start of recruitment outreach via LinkedIn, Facebook, and Reddit under Veltrix Capital persona.","source":"The Hacker News","source_url":"https://thehackernews.com/2026/02/lazarus-campaign-plants-malicious.html"},{"date":"2025-06-13","event":"First malicious PyPI package, graphalgo, published to the Python Package Index.","source":"ReversingLabs — Inside the 'graphalgo' campaign","source_url":"https://www.reversinglabs.com/blog/inside-graphalgo"},{"date":"2025-08-01","event":"Blocmerce LLC registered as a real Florida LLC with fake CEO 'Alexandre Miller', pre-positioning for the campaign's next persona phase.","source":"HackRead — GraphAlgo Scam: Lazarus Hackers Register Real US LLCs","source_url":"https://hackread.com/graphalgo-scam-lazarus-hackers-us-llcs-malware/"},{"date":"2025-09-21","event":"Backup domain veltrixcapital[.]ai registered.","source":"ReversingLabs — Fake recruiter campaign targets crypto developers with RAT","source_url":"https://www.reversinglabs.com/blog/fake-recruiter-campaign-crypto-devs"},{"date":"2025-11-17","event":"'Big'-prefixed npm package wave begins, starting with bignumx and bignum.","source":"ReversingLabs — Inside the 'graphalgo' campaign","source_url":"https://www.reversinglabs.com/blog/inside-graphalgo"},{"date":"2025-12-09","event":"'Big'-prefixed PyPI package wave begins.","source":"ReversingLabs — Inside the 'graphalgo' campaign","source_url":"https://www.reversinglabs.com/blog/inside-graphalgo"},{"date":"2026-01-01","event":"bigmathutils accumulates over 4,200 weekly downloads; no malicious payload present in published versions yet.","source":"ReversingLabs — Inside the 'graphalgo' campaign","source_url":"https://www.reversinglabs.com/blog/inside-graphalgo"},{"date":"2026-02-04","event":"VBS payload variant identified by researchers.","source":"ReversingLabs — Fake recruiter campaign targets crypto developers with RAT","source_url":"https://www.reversinglabs.com/blog/fake-recruiter-campaign-crypto-devs"},{"date":"2026-02-11","event":"Malicious bigmathutils version 1.1.0 published; package had exceeded 10,000 cumulative downloads. Malicious version subsequently removed and package marked deprecated.","source":"ReversingLabs — Fake recruiter campaign targets crypto developers with RAT","source_url":"https://www.reversinglabs.com/blog/fake-recruiter-campaign-crypto-devs"},{"date":"2026-02-15","event":"ReversingLabs publicly discloses the graphalgo campaign; widespread coverage by The Hacker News, Security Affairs, GBHackers, SC Media, and others.","source":"Security Affairs","source_url":"https://securityaffairs.com/188009/apt/malicious-npm-and-pypi-packages-llinked-to-lazarus-apt-fake-recruiter-campaign.html"},{"date":"2026-04-01","event":"ReversingLabs documents campaign respawn under Blockmerce and Bridgers Finance personas, with new C2 domain huvaret[.]art and shift to GitHub release artifact delivery.","source":"ReversingLabs — Graphalgo campaign respawned","source_url":"https://www.reversinglabs.com/blog/graphalgo-campaign-respawned"}]},"v":1}

   Verify offline (run on your own machine)

   python -m src.verify_decision ecd2ecf1-bca1-4b98-b77d-2347b0b21b27copy