VulnHub

Real-time Cybersecurity News

Lazarus Campaign Plants Malicious Packages in npm and PyPI Ecosystems

The Hacker News
Actively Exploited
Malware

Overview

Researchers have identified a series of malicious packages in both the npm and Python Package Index (PyPI) repositories, linked to a recruitment-themed campaign by the Lazarus Group, which is associated with North Korea. This operation, dubbed graphalgo, reportedly began in May 2025, aiming to trick developers into downloading harmful software disguised as legitimate packages. The malicious payloads can compromise user systems and potentially lead to data theft or other cybercrimes. Developers using these package repositories should be particularly cautious and verify the authenticity of packages before installation, as this incident emphasizes the ongoing risks associated with open-source software ecosystems. Awareness and vigilance are crucial for maintaining security in the software development community.

Key Takeaways

  • Active Exploitation: This vulnerability is being actively exploited by attackers. Immediate action is recommended.
  • Affected Systems: npm packages, Python Package Index (PyPI) packages
  • Action Required: Developers should verify the authenticity of packages before installation and monitor for any unusual activity in their environments.
  • Timeline: Ongoing since May 2025

Original Article Summary

Cybersecurity researchers have discovered a fresh set of malicious packages across npm and the Python Package Index (PyPI) repository linked to a fake recruitment-themed campaign orchestrated by the North Korea-linked Lazarus Group. The coordinated campaign has been codenamed graphalgo in reference to the first package published in the npm registry. It's assessed to be active since May 2025. "

Impact

npm packages, Python Package Index (PyPI) packages

Exploitation Status

This vulnerability is confirmed to be actively exploited by attackers in real-world attacks. Organizations should prioritize patching or implementing workarounds immediately.

Timeline

Ongoing since May 2025

Remediation

Developers should verify the authenticity of packages before installation and monitor for any unusual activity in their environments.

Additional Information

This threat intelligence is aggregated from trusted cybersecurity sources. For the most up-to-date information, technical details, and official vendor guidance, please refer to the original article linked below.

Related Topics: This incident relates to Malware.

Read Original Article

Related Coverage

New ZionSiphon Malware Discovered Targeting Israeli Water Systems

Hackread – Cybersecurity News, Data Breaches, AI and More

Researchers from Darktrace have discovered a new malware strain called ZionSiphon that specifically targets water treatment facilities in Israel. This malware poses a significant risk to the operational technology (OT) systems that manage water resources, potentially disrupting essential services. The identification of ZionSiphon raises alarms about the security of critical infrastructure, particularly in regions that may be vulnerable to cyberattacks. The malware's focus on water systems indicates a troubling trend where attackers are increasingly aiming at vital public utilities. This incident underscores the need for heightened cybersecurity measures in the OT sector to protect against such targeted threats.

Apr 17, 2026

Recent Apache ActiveMQ Vulnerability Exploited in the Wild

SecurityWeek

A remote code execution vulnerability, identified as CVE-2026-34197, was discovered in Apache ActiveMQ in early April. This vulnerability allows attackers to execute arbitrary code on affected systems, posing a significant risk to organizations using this messaging platform. As of now, it has been actively exploited in the wild, which raises concerns for users who have not yet applied necessary security measures. Companies that rely on Apache ActiveMQ should prioritize updating their systems to mitigate the risk of this vulnerability. The situation underscores the need for ongoing vigilance in maintaining software security to protect sensitive data and infrastructure from potential breaches.

Apr 17, 2026

CISA flags Apache ActiveMQ flaw as actively exploited in attacks

BleepingComputer

The Cybersecurity and Infrastructure Security Agency (CISA) has issued a warning about a significant vulnerability in Apache ActiveMQ that is currently being exploited by attackers. This flaw, which had remained undetected for 13 years, was patched earlier this month. ActiveMQ, widely used for messaging in enterprise applications, is at risk, meaning organizations that rely on this software could be compromised if they haven't applied the recent update. The urgency of the situation is underscored by the fact that attackers are actively leveraging this vulnerability, making it crucial for users to take immediate action to secure their systems. Companies using ActiveMQ should prioritize updating to the latest version to protect against potential intrusions.

Apr 17, 2026

Two North Korean IT Worker Scheme Facilitators Jailed in the US

SecurityWeek

Kejia Wang and Zhenxing Wang, two individuals linked to North Korea, have been sentenced in the United States for their roles in a scheme that exploited the identities of numerous Americans. They helped place North Korean IT workers into jobs at over 100 companies, using the compromised identities to facilitate these placements. This case highlights ongoing concerns about North Korean cyber operations and the lengths to which some will go to circumvent international sanctions. The actions of Wang and Wang not only affect the integrity of the job market but also raise alarms about national security, as these workers may have been employed in sensitive roles. Their sentencing serves as a reminder of the persistent threat posed by state-sponsored cyber activities.

Apr 17, 2026

Inside ZionSiphon: politically driven malware aims at Israeli water systems

Security Affairs

A new malware called ZionSiphon has been identified, specifically targeting water treatment and desalination systems in Israel. This malware is designed to disrupt operations by manipulating hydraulic pressure and increasing chlorine levels to dangerous levels. Although the malware poses a significant threat to water safety and infrastructure, researchers from Darktrace have found a flaw that currently makes it ineffective. The potential for such malware to cause real harm underscores the vulnerabilities present in critical infrastructure systems. As this type of politically motivated cyberattack emerges, it raises concerns about the security of essential services worldwide.

Apr 17, 2026

ZionSiphon Malware Targets ICS in Water Facilities

SecurityWeek

A new malware known as ZionSiphon is specifically designed to target industrial control systems (ICS) at water facilities in Israel. This malware is aimed at water treatment and desalination plants, posing a significant risk to critical infrastructure. The targeting of such facilities raises serious concerns about the potential disruption of essential services and the safety of water supplies. As cyber threats to critical infrastructure continue to evolve, this incident serves as a reminder of the vulnerabilities faced by essential services in maintaining security against cyber attacks. Organizations operating these facilities need to enhance their cybersecurity measures to protect against such targeted threats.

Apr 17, 2026