1. Forum
  2. Fidonet
  3. CONSPRCY

  • Operation Dream Job evolves once again

    From Mike Powell@1:2320/105 to All on Tue Feb 17 11:25:17 2026
    North Korean job scammers target JavaScript and Python developers with fake interview tasks spreading malware

    By Sead Fadilpa?i? published yesterday

    Operation Dream Job is evolving once again

    Lazarus Group evolving Operation Dream Job campaign to target Web3 developers
    New "Graphalgo" variant uses malicious dependencies in legitimate
    bare-bone projects on PyPI/npm
    ReversingLabs found ~200 malicious packages spoofing libraries like graphlib, aiming to steal crypto

    The notorious Lazarus gang is evolving its Operation Dream Job campaign to target even more software developers and steal even more crypto along the way.

    Security researchers ReversingLabs claim to have seen changes to the campaign starting May 2025, dubbed `Graphalgo', which sees Lazarus take a legitimate bare-bone project, and adds a malicious dependency which they use in the attack.

    For those unfamiliar with Operation Dream Job, it is an ongoing campaign created by North Korean state-sponsored hackers. They create fake job ads on LinkedIn and other platforms and offer enticing jobs to software developers working primarily in the Web3 (blockchain) industry.

    Codename Graphalgo

    During the "hiring process", they ask the candidates to go through a few
    test assignments which always end up with the victims downloading and running malicious code. That code can be different, but the goal is always to empty their crypto wallets - be it standalone apps, browser add-ons, or accounts on popular crypto exchanges.

    "It is easy to create such job task repositories. Threat actors simply need to take a legitimate bare-bone project and fix it up with a malicious dependency and it is ready to be served to targets," the researchers said. Most of these projects are hosted on legitimate platforms such as PyPI or npm, making it more difficult for the victims to spot the attack.

    So far, ReversingLabs found almost 200 malicious packages.

    The refresh was dubbed Graphalgo because all of the malicious packages had the prefix "graph" in their name and often spoof regular libraries such as graphlib. In more recent times, "graph" was replaced with "big", but
    the researchers are yet to find the recruiting part that goes with these packages.

    Via BleepingComputer


    https://www.techradar.com/pro/security/north-korean-job-scammers-target-javascr ipt-and-python-developers-with-fake-interview-tasks-spreading-malware

    $$
    --- SBBSecho 3.28-Linux
    * Origin: Capitol City Online (1:2320/105)