A new report details how a suspected North Korea–linked actor is using a familiar tactic—fake job interviews—to trick developers into executing malware.

## How the attack works

1. The actor creates fake companies and posts roles on platforms like LinkedIn, Reddit, and others.

2. Applicants are asked to run/debug a coding task repository.

3. The repository itself can appear clean, but it pulls in malicious dependencies from npm/PyPI.

4. Once executed, the malicious package chain installs a remote access trojan (RAT) that can run commands and steal data.

## What researchers found

- The campaign has been active since at least May 2025.

- ReversingLabs tied 192 malicious packages to the operation (dubbed “Graphalgo”).

- Some packages were benign until a later version introduced malicious behavior, then were deprecated/removed—likely to reduce visibility.

## Why it matters for web developers

This is a supply-chain attack aimed at individuals. If you run “take-home” code on your main workstation, you risk exposing tokens, SSH keys, browser sessions, and other secrets. The payload reportedly checks for crypto-wallet extensions like MetaMask, implying direct financial theft objectives.

## Practical defenses

- Run interview projects in isolated, disposable environments (VMs/containers) with minimal credentials.

- Audit dependencies and lockfiles; be suspicious of newly published packages and sudden version jumps.

- Rotate tokens and credentials if you executed untrusted “challenge” code.