Technical Analysis & Remediation
MITRE ATT&CK Mapping
Initial Access
T1190 (Exploit Public-Facing Application)
T1566 (Phishing - Spearphishing Link).
Execution
T1059 (Command and Scripting Interpreter) - via package.json scripts.
Persistence
T1543 (Create or Modify System Process).
Exfiltration
T1048 (Exfiltration Over Alternative Protocol).
Attack Vector & Kill Chain
Contact
Threat actors pose as recruiters on social platforms (LinkedIn, etc.), offering high-paying crypto/web3 roles.
The Lure
Candidates are given a "take-home assignment" hosted on a repository that requires installing specific dependencies.
Infection
The dependencies (graphalgo, graphflux, etc.) contain malicious install hooks (e.g., preinstall, postinstall) that execute immediately upon npm install or pip install.
Telemetry & IOCs (Hard Facts)
Malicious npm Packages
graphalgo (Versions: 2.2.8, 2.2.9)
graphflux (Version: 0.0.2)
graphflowx (Versions: 1.0.2, 1.0.3)
Malicious PyPI Package
graphnode (Version: 1.0.1)
Git Commit Hashes (Indicators of Compromise):
2283aefe0d59b37af0ce86465b0e770d0ffc364b
269ec49a563433993cd216ef5dddd0f923de97b7
20c4e927e172a60799c47f71cfaf6b5e82faba64
Payload Behavior
The malware structure typically involves a multi-stage loader. Upon installation, the package script fetches a secondary payload (the RAT) from a C2 server. This RAT is capable of command execution, file system enumeration, and stealing secrets such as:
Cryptocurrency wallet keys.
SSH keys.
Environment variables (AWS/Cloud credentials).
Remediation - THE ENTERPRISE TRACK (NIST SP 800-61r3)
DETECT (DE)
Command
Query SIEM/EDR for execution of npm or pip spawning unusual child processes (e.g., cmd[.]exe, powershell[.]exe, curl, wget) originating from node_modules directories.
Command
Scan all development repositories for package.json or requirements.txt files containing the specific package names listed above (graphalgo, graphflux, graphflowx, graphnode).
RESPOND (RS)
Command
If these packages are found, isolate the developer endpoint immediately. Assume full compromise of credentials and session tokens on that machine.
Command
Credential Rotation: Force rotation of all secrets present on the infected machine (SSH keys, API tokens, Wallet seeds). Do not rotate these from the infected machine itself.
GOVERN (GV)
Command
Enforce a policy that all "take-home" coding tests must be performed in a sandbox environment (e.g., non-persistent VM, GitHub Codespaces) that is completely isolated from production networks and personal assets.
Remediation - THE HOME USER TRACK (Safety Focus)
Priority 1: Containment
Command
If you installed any of the packages listed above, disconnect your computer from the internet immediately. The RAT may still be active.
Priority 2: Asset Protection
Command
Assume your cryptocurrency wallets are compromised. From a different, clean device (like your phone on cellular data), move any remaining funds to a new cold wallet.
Command
Change passwords for your email and exchanges using a clean device.
Priority 3: Persistence Removal
Command
Since the malware establishes deep persistence, the safest course of action is a full system wipe (factory reset). Do not attempt to manually "clean" the files, as Lazarus malware often hides deep in system directories.
Hardening & References
Baseline
Restrict developer workstations from mounting arbitrary external packages without a proxy or vulnerability scan (e.g., using a tool like Sonatype Nexus or Artifactory with firewall rules).
Reference
ReversingLabs (Original Source)
www.reversinglabs.com
