TZUTC: -0500   
   MSGID: 2187.consprcy@1:2320/105 2df9d4f8   
   PID: Synchronet 3.21a-Linux master/123f2d28a Jul 12 2025 GCC 12.2.0   
   TID: SBBSecho 3.28-Linux master/123f2d28a Jul 12 2025 GCC 12.2.0   
   BBSID: CAPCITY2   
   CHRS: ASCII 1   
   FORMAT: flowed   
   North Korean job scammers target JavaScript and Python developers with fake   
   interview tasks spreading malware   
      
   By Sead Fadilpa?i? published yesterday   
      
   Operation Dream Job is evolving once again   
      
     Lazarus Group evolving Operation Dream Job campaign to target Web3 developers   
     New "Graphalgo" variant uses malicious dependencies in legitimate   
   bare-bone projects on PyPI/npm   
     ReversingLabs found ~200 malicious packages spoofing libraries like graphlib,   
   aiming to steal crypto   
      
   The notorious Lazarus gang is evolving its Operation Dream Job campaign to   
   target even more software developers and steal even more crypto along the way.   
      
   Security researchers ReversingLabs claim to have seen changes to the campaign   
   starting May 2025, dubbed `Graphalgo', which sees Lazarus take a legitimate   
   bare-bone project, and adds a malicious dependency which they use in the   
   attack.   
      
   For those unfamiliar with Operation Dream Job, it is an ongoing campaign   
   created by North Korean state-sponsored hackers. They create fake job ads on   
   LinkedIn and other platforms and offer enticing jobs to software developers   
   working primarily in the Web3 (blockchain) industry.   
      
   Codename Graphalgo   
      
   During the "hiring process", they ask the candidates to go through a few   
   test assignments which always end up with the victims downloading and running   
   malicious code. That code can be different, but the goal is always to empty   
   their crypto wallets - be it standalone apps, browser add-ons, or accounts on   
   popular crypto exchanges.   
      
   "It is easy to create such job task repositories. Threat actors simply need to   
   take a legitimate bare-bone project and fix it up with a malicious dependency   
   and it is ready to be served to targets," the researchers said. Most of these   
   projects are hosted on legitimate platforms such as PyPI or npm, making it more   
   difficult for the victims to spot the attack.   
      
   So far, ReversingLabs found almost 200 malicious packages.   
      
   The refresh was dubbed Graphalgo because all of the malicious packages had the   
   prefix "graph" in their name and often spoof regular libraries such as   
   graphlib. In more recent times, "graph" was replaced with "big", but   
   the researchers are yet to find the recruiting part that goes with these   
   packages.   
      
   Via BleepingComputer   
      
      
   https://www.techradar.com/pro/security/north-korean-job-scammers-target-javascr   
   ipt-and-python-developers-with-fake-interview-tasks-spreading-malware   
      
   $$   
   --- SBBSecho 3.28-Linux   
    * Origin: Capitol City Online (1:2320/105)   
   SEEN-BY: 105/81 106/201 128/187 129/14 305 153/7715 154/110 218/700   
   SEEN-BY: 226/30 227/114 229/110 134 206 300 307 317 400 426 428 470   
   SEEN-BY: 229/664 700 705 266/512 291/111 320/219 322/757 342/200 396/45   
   SEEN-BY: 460/58 633/280 712/848 902/26 2320/0 105 304 3634/12 5075/35   
   PATH: 2320/105 229/426