Fake recruiter campaign targets crypto developers with RAT

A sophisticated fake recruitment campaign named 'graphalgo' has been active since May 2025, targeting JavaScript and Python developers in the cryptocurrency sector. Attackers approach victims through LinkedIn, Facebook, and Reddit with fabricated job opportunities from fake blockchain companies like Veltrix Capital. The campaign uses malicious dependencies hidden in npm and PyPI packages, delivered through coding test repositories on GitHub. Notable is the bigmathutils package that accumulated over 10,000 downloads before its malicious version was released. The operation deploys a remote access trojan (RAT) with token-protected C2 communication, file manipulation capabilities, and functionality to detect the Metamask browser extension, indicating focus on cryptocurrency theft. The modular campaign design allows threat actors to maintain backend infrastructure while easily replacing compromised frontend elements.

Pulse ID: 69dd073f50edefa3e44adec6
Pulse Link: https://otx.alienvault.com/pulse/69dd073f50edefa3e44adec6
Pulse Author: AlienVault
Created: 2026-04-13 15:09:51

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#BlockChain #Browser #CyberSecurity #Facebook #GitHub #InfoSec #Java #JavaScript #LinkedIn #NPM #OTX #OpenThreatExchange #PyPI #Python #RAT #RemoteAccessTrojan #Trojan #bot #cryptocurrency #developers #AlienVault