Fake recruiter campaign targets crypto developers with RAT
Essential information
- Published
- 13/04/2026 17:09
- Modified
- 13/04/2026 16:23
- Source / Author
- AlienVault
- Confidence
- 100/100
- Report type(s)
- threat-report
- Labels / Tags
- bigmathex bigmathix bigmathlib bigmathutils bignum bignumberx bignumex bignumx bigpyx blockchain cryptocurrency targeting fake recruitment graphalgo graphchain graphdict graphex graphflowx graphflux graphhub graphkitx graphlibcore graphlibx graphlink graphnet graphnetworkx graphnode graphorbit graphrix graphsync javascript developers
- Tags
- 2026-04-13 bigmathex bigmathix bigmathlib bigmathutils bignum bignumberx bignumex bignumx bigpyx blockchain cryptocurrency targeting fake recruitment graphalgo graphchain graphdict graphex graphflowx graphflux graphhub graphkitx graphlibcore graphlibx graphlink graphnet graphnetworkx graphnode graphorbit graphrix graphsync javascript developers netstruct north korea npm packages pypi packages python developers supply chain attack terminal-kleur terminalcolor256
- Related entities
- 64 indicators, 64 observables, 1 intrusion sets (apt), 18 techniques (mitre), 29 malware, 4 others
Description
A sophisticated fake recruitment campaign named 'graphalgo' has been active since May 2025, targeting JavaScript and Python developers in the cryptocurrency sector. Attackers approach victims through LinkedIn, Facebook, and Reddit with fabricated job opportunities from fake blockchain companies like Veltrix Capital. The campaign uses malicious dependencies hidden in npm and PyPI packages, delivered through coding test repositories on GitHub. Notable is the bigmathutils package that accumulated over 10,000 downloads before its malicious version was released. The operation deploys a remote access trojan (RAT) with token-protected C2 communication, file manipulation capabilities, and functionality to detect the Metamask browser extension, indicating focus on cryptocurrency theft. The modular campaign design allows threat actors to maintain backend infrastructure while easily replacing compromised frontend elements.