Fake recruiter campaign targets crypto developers

ReversingLabs uncovered the "graphalgo" campaign by North Korea's Lazarus Group, active since May 2025, targeting crypto developers via fake job offers on LinkedIn, Facebook, and Reddit. Posing as firms like "Veltrix Capital," attackers provide GitHub tasks with malicious npm and PyPI dependencies (e.g., graphalgo, bigmathutils) that install RATs checking for MetaMask and enabling remote control. The modular setup uses indirect payload delivery for persistence, with IoCs including codepool.cloud and listed package hashes.