Fake job recruiters hide malware in developer coding challenges
Bleeping Computer
by Bill ToulasFebruary 13, 2026
AI-Generated Deep Dive Summary
North Korean threat actors have launched a sophisticated cyber campaign targeting JavaScript and Python developers through fake job recruiter schemes centered around cryptocurrency-related tasks. These malicious actors create fake companies in the blockchain and crypto-trading sectors, posting fraudulent job opportunities on platforms like LinkedIn, Facebook, and Reddit. Developers applying for these roles are instructed to run, debug, and enhance given projects, unknowingly installing malicious dependencies from legitimate repositories like npm and PyPI. This action installs a Remote Access Trojan (RAT), giving the attackers control over infected systems.
The campaign, dubbed 'Graphalgo,' involves creating seemingly legitimate coding challenges that conceal malicious payloads within third-party libraries. For instance, researchers identified a package named 'bigmathutils' with 10,000 downloads that remained benign until version 1.1.0, which introduced harmful code. The attackers exploit GitHub repositories and npm/Py
Verticals
securitytech
Originally published on Bleeping Computer on 2/13/2026