MONDAY | 6 APRIL 2026 | Cybersecurity Report

#CyberFM #CyberSecurity #TechNews #CryptoHack #Ransomware #DataBreach #LazarusGroup #Infosec #DigitalFrontline #RSSH #NewYorkTech #BreakingNews2026 #PrivacyMatters

Original post on mastodon.social

Hackers associated with North Korea have compromised Axios, a widely used JavaScript library.

Axios is published and maintained on npm, the default package registry for JavaScript and Node.js projects. It is used to send requests between applications and web services and is one of the world’s […]

North Korea’s Lazarus Group Behind the Axios npm Supply Chain Attack A supply chain attack inserted a malicious dependency, plain-crypto-js, into axios npm releases (1.14.1 and 0.30.4) on March 31, using a postinstall hook that executed an obfuscated dropper (tracked as SILKBELL) to deploy platform-specific payloads. Multiple threat intelligence firms (GTIG, Mandiant, ThreatBook) attributed the campaign to North Korea’s Lazarus Group/UNC1069, which...

North Korea’s Lazarus Group compromised Axios npm releases on March 31 by inserting a malicious dependency plain-crypto-js with a postinstall hook deploying the SILKBELL dropper and WAVESHAPER.V2 backdoor. #NorthKorea #SupplyChain #LazarusGroup

What is the Lazarus group? - Negative PID At the beginning of December 2025, some of the members of the Lazarus group were caught on camera while conducting infiltration through a fake-job scheme. But

What is the Lazarus group?

negativepid.blog/wha...

#lazarus #cyberwarfare #organizedCrime #stateSponsoredCrime #cyberUnits #LazarusGroup #hackers #onlineRecruitment #Cybersecurity #cyberattacks #cyberThreats #onlineSecurity #negativepid

North Korea's Cyber Arm Sets Sights on Hospitals and Universities Cisco Talos uncovers Dohdoor, a new North Korea-linked backdoor targeting US healthcare and education since December 2025, with warnings for Australian institutions.

North Korea's Cyber Arm Sets Sights on Hospitals and Universities

#Cybersecurity #NorthKorea #LazarusGroup #Ransomware #CyberThreats #AusNews

thedailyperspective.org/article/2026-03-01-north...

Lazarus Group targets healthcare orgs with Medusa ransomware : New ransomware of choice, same critical targets

#NorthKorea's #LazarusGroup targets #healthcare orgs with #Medusa #ransomware
www.theregister.com/2026/02/24/n...

Adds another tool to its kit in ongoing extortion attacks.
#CyberCrime #ThreatIntelligence

North Korea's Lazarus Group escalates cyberattacks, deploying Medusa ransomware against Middle East and U.S. healthcare sectors. #CyberSecurity #Ransomware #LazarusGroup #MedusaRansomware Link: thedailytechfeed.com/lazarus-grou...

Lazarus Group utilizza il ransomware Medusa per attaccare le organizzazioni

📌 Link all'articolo : www.redhotpotato.com/post/laz...

#redhotpotato #news #potatosecurity #mashing #malware #ransomware #lazarusgroup #medusa #coreadelnord

Lazarus Group utilizza il ransomware Medusa per attaccare le organizzazioni

📌 Link all'articolo : www.redhotcyber.com/post/laz...

#redhotcyber #news #cybersecurity #hacking #malware #ransomware #lazarusgroup #medusa #coreadelnord

Lazarus Deploys Medusa In Health Hacks
Read More: buff.ly/mtrH0iI

#LazarusGroup #MedusaRansomware #NorthKoreaCyber #HealthcareSecurity #RansomwareAsAService #NationStateThreat #CyberEspionage #ThreatIntel

Fraudulent Recruiters Target Developers with Malicious Coding Tests   If a software developer is accustomed to receiving unsolicited messages offering lucrative remote employment opportunities, the initial approach may appear routine—a brief introduction, a well-written job description, and an invitation to complete a small technical exercise. Nevertheless, behind the recent waves of such outreach lies a sophisticated operation.  During the investigation, investigators have discovered a new version of the long-running fake recruiter campaign linked to North Korean threat actors. This campaign now targets JavaScript and Python developers with cryptocurrency-themed assignments.  With a deliberate, modular design that makes it possible for operators to rapidly rebuild and re-deploy infrastructure when parts of the campaign are exposed or dismantled since at least May 2025. Several malicious packages were quietly published to the NPM and PyPI ecosystems, which developers utilize in routine work processes.  Once executed within a developer's environment, the packages serve as downloaders that discreetly retrieve a remote access trojan. Researchers have compiled 192 packages associated with the campaign, which they have labeled Graphalgo, confirming the threat's scale and persistence.  It has been determined that the operation is more than just opportunistic phishing and represents a carefully orchestrated social engineering campaign incorporated into legitimate hiring processes rather than just opportunistic phishing.  A recruiting impersonator impersonates a recruiter from an established technology company, initiating communication through professional networking platforms and via email with job descriptions, technical prerequisites, and compensation information aligned with market trends. By cultivating trust over a number of exchanges, the operators resemble the cadence and tone of authentic recruitment cycles without relying on urgency or alarm.  Following the establishment of legitimacy, they implement a coding assessment, typically a compressed archive, designed to provide a standard measure of the candidate's ability to solve problems or develop blockchain-related applications.  In addition, the files provided contain embedded malware that is designed to execute once the developer tries to review or run the project locally. Using routine practices such as cloning repositories, installing dependencies, and executing test scripts, the attackers were able to circumvent conventional suspicion triggers associated with unsolicited attachments.  The strategy demonstrates a deep understanding of developer behavior, technical interview conventions, and the implicit trust derived from structured hiring processes, according to researchers. The execution of the malicious project components in several observed cases enabled unauthorized system access, resulting in credential harvesting, lateral movement, as well as the possibility of exposing proprietary source code and corporate infrastructure to unauthorized access.  A key component of the campaign's success is not exploiting software vulnerabilities, but rather manipulating professional norms—transforming recruitment itself into a delivery channel for compromise. Several ReversingLabs researchers have determined that the infrastructure supporting the campaign is intended to mirror legitimate activity within the blockchain and crypto-trading industries.  Threat actors establish fictitious companies, post detailed job postings on professional and social platforms, such as LinkedIn, Facebook, and Reddit, and request candidates to complete technical assignments as part of the simulated interview process. The tasks are usually similar to routine coding evaluations, where candidates clone repositories, execute projects locally, resolve minor bugs, and submit improvements.  Nevertheless, the critical objective is not the solution submitted, but the process of executing it. When running a project, a malicious dependency sourced from trusted ecosystems such as npm and PyPI is installed, thus allowing the payload to be introduced indirectly through dependency resolution processes.  As investigators point out, the process of assembling such repositories is straightforward: a legitimate open-source template is modified to reference a compromised or weaponized package, following which the project appears technically sound and professionally structured. An example of a benign package called “bigmathutils,” which had accumulated approximately 10,000 downloads, was introduced into malicious functionality by version 1.1.0.  A maneuver likely intended to limit forensic visibility followed by the deprecation and removal of the package soon thereafter. A more extensive campaign was later developed, dubbed Graphalgo for its frequent use of packages containing the term "graph" and their imitations of well-established libraries such as graphlib. Researchers have observed a shift in package names that include the word "big" since December 2025, although there has not been a comprehensive identification of the recruitment infrastructure associated with that phase. As a means of giving structural legitimacy to their operations, actors utilize GitHub Organizations. The visible project files of GitHub repositories do not contain any overtly malicious code. Instead, compromise occurs by resolving external dependencies -Graphalgo packages retrieved from npm or PyPI - thus separating the malicious logic from the repository, making detection more challenging. By executing the projects as instructed, developers inadvertently install a remote access trojan on their computer systems. Analysis of the malware indicates it is capable of enumerating processes, executing arbitrary commands via command-and-control channels, exfiltrating data and delivering secondary payloads.  A clear financial motive associated with cryptocurrency asset theft is also evident from the fact that the RAT checks for the MetaMask browser extension. According to researchers, multiple developers were successfully compromised before the activity was discovered, demonstrating the operational effectiveness of embedding malicious logic within trusted mechanics in software development workflows. According to a technical examination of the later infection stages, the intermediate payloads serve mainly as downloaders, retrieving the final remote access trojan from the attacker's infrastructure. Upon deployment, the RAT communicates periodically with its command-and-control server, polling it for tasking and executing the instructions given by the operator.  The tool has a feature set that is consistent with mature post-exploitation tools: file uploading and downloading capabilities, process enumeration, and execution of arbitrary system commands. Additionally, communications with the C2 endpoint are token-protected, requiring a valid server-issued token when registering an agent or issuing a command command.  It is believed that this additional authentication layer serves to restrict unsolicited interaction with the infrastructure and to reflect operational discipline previously observed in North Korean state-backed campaigns. In addition to detecting the MetaMask browser extension, the malware demonstrates a clear interest in crypto assets, aligning with financial motivations historically linked to Pyongyang-aligned groups as well as a clear interest in cryptocurrency assets.  As part of their investigation, researchers identified three functionally equivalent variants of the final payload implemented in various languages. JavaScript and Python versions were distributed through malicious packages hosted on npm and PyPI, while a third variant was found independently using Visual Basic Script.  As first noted in early February 2026, the VBS sample communicates with the same C2 infrastructure associated with earlier "graph"-named packages, as evidenced by the SHA1 hash dbb4031e9bb8f8821a5758a6c308932b88599f18. This suggests a parallel or yet to be identified recruitment frontend is part of the broader operation. North Korean activity in public open-source ecosystems has been documented in a number of cases.  VMConnect, an operation later dubbed and attributed to the Lazarus Group, was detected by ReversingLabs in 2023 involving malicious PyPI impersonation operations. The attack involved weaponized packages linked to convincing GitHub repositories which were able to reinforce trust before delivering malware from attacker infrastructure. In a year, researchers observed the VMConnect tradecraft continuing to be practiced, this time incorporating fabricated coding assessments associated with fraudulent job interviews. As in some instances, the actors assumed the identity of Capital One, further demonstrating their willingness to appropriate established corporate identities to legitimize outreach. Other security firms have confirmed the pattern through their reports.  As of 2023, Phylum provided information about NPM malware campaigns that utilize token-based mechanisms and paired packages to avoid detection, while Unit 42 provided information about the methods North Korean state-sponsored actors used to distribute multi-stage malware through developer ecosystems. In addition to Veracode and Socket's disclosures during 2024 and 2025, further npm packages attributed to Lazarus-related activity were also identified, including second-stage payloads that erased forensic evidence upon execution of the package. In the present campaign, attribution is based on a convergence of technical and operational indicators rather than a single artifact. Lazarus methodologies, such as using fake interviews to gain access, cryptocurrency-themed lures, multistage payload chains layered with obfuscation, and deliberately delaying the release of benign and malicious package versions, are similar to previously documented Lazarus methods.  Moreover, token-protected C2 communications and Git commit timestamps aligned with GMT+9, North Korea's time zone, provide context alignment. These characteristics suggest a coordinated, state-sponsored effort rather than opportunistic cybercrime. Researchers cite the modular architecture of the campaign as a significant strength. By separating recruitment personas from backend payload infrastructure, operators can rotate the company names, job postings, and thematic branding without altering core delivery mechanisms. Although a direct link has been established between "graph"-named packages and specific blockchain-based job offerings, the frontend elements for the newer "big"-named packages and the VBS RAT variant have not yet been identified in detail.  ReversingLabs analyzed the Graphalgo activity and compiled an extensive set of indicators of compromise linked to the operation, including malicious package names, hashes, domains, and C2 endpoints as part of its investigation. This gap indicates that elements of the operation likely remain active and evolving. These artifacts are crucial in assisting organizations in the detection and response to incidents, since they enable them to identify exposures within development environments and within software supply chains. Lazarus-related operations persisting across NPM and PyPI underscores a broader reality: open-source ecosystems remain strategically valuable target surfaces, while recruitment-themed social engineering has evolved into an extremely sophisticated intrusion vector that is capable of bypassing conventional defense measures. Those findings underscore the importance of reassessing the implicit trust placed in external code and recruitment-driven processes among development teams. Besides email filtering and endpoint protection, security controls should include rigorous dependency monitoring, sandboxing of third-party projects, and stricter verification of unsolicited technical assessments in addition to traditional email filtering and endpoint protection.  An organization should implement a software composition analysis, enforce a least-privilege development environment, and monitor anomalous outbound connections originating from the build system or developer workstations. As a result, awareness programs must be updated to address recruitment-themed social engineering, which incorporates professional credibility with technical deception in order to achieve effective recruitment results. Threat actors are continuing to adapt their tactics to mimic legitimate industry practices, which is why defensive strategies should mature as well - treating development environments and open-source dependencies as critical security boundaries as opposed to mere conveniences.

Fraudulent Recruiters Target Developers with Malicious Coding Tests #cryptocurrency #FakeRecruiterScam #LazarusGroup

Alert: The Lazarus Group's 'Graphalgo' campaign targets cryptocurrency developers via fake job offers, exploiting GitHub, npm, and PyPI to distribute malware. Stay vigilant! #CyberSecurity #LazarusGroup #Graphalgo #Cryptocurrency #Malware Link: thedailytechfeed.com/lazarus-grou...

Alert: The Lazarus Group's 'graphalgo' campaign infiltrates npm and PyPI with malicious packages via fake recruitment schemes. Developers, stay vigilant! #CyberSecurity #SupplyChainAttack #LazarusGroup Link: thedailytechfeed.com/lazarus-grou...

The APTs That Defined 2025 How State-Aligned Threat Actors Shaped the Global Cyber Battlefield

The APTs That Defined 2025 open.substack.com/pub/malwhere...

#APT #China #Russia #DPRK #Iran #ThreatIntel #CyberSecurity #SaltTyphoon #FlaxTyphoon #MustangPanda #APT17 #APT28 #APT29 #Sandworm #LazarusGroup #Kimsuky #APT42

North Korea's Lazarus Group targets developers with fake job interviews, deploying malware via malicious fonts. Stay vigilant! #CyberSecurity #LazarusGroup #MalwareAlert Link: thedailytechfeed.com/north-korean...

North Korean Hackers Lure Developers with Fake Job Interviews, Backdoor macOS via VS Code North Korean threat actors (Lazarus Group) are targeting developers with a

North Korean hackers' 'Contagious Interview' campaign targets macOS developers using malicious VS Code projects on GitHub. Fake job offers lead to backdoors via trusted IDE features. 👨‍💻⚠️ #LazarusGroup #macOS #InfoSec #SupplyChain

#Fortinet second hand slam,
one hand nail filing gotta be worth a,
worth a #AI remix
so low, so trix
20 25 ya ya AI B-day bish mix
apostrophe an apostle's apogee fix,
yaba sik hix dix pix with bics mach nix,
ana tixs brixs six x x quix.
#LazarusGroup
#UwU-Underground
youtu.be/tonUsY1Mj70?...

Darktrace has linked a newly observed BeaverTail malware variant to North Korean (DPRK) threat clusters tied to the Lazarus Group. Targets include crypto traders, developers, and retail employees—pointing to both financial theft and espionage. #CyberSecurity #DPRK #LazarusGroup #Malware

New research uncovers extensive infrastructure used by North Korean cyber groups Lazarus and Kimsuky, revealing advanced malware and consistent attack patterns. Stay vigilant. #CyberSecurity #LazarusGroup #Kimsuky Link: thedailytechfeed.com/north-korean...

North Korean hackers escalate global crypto theft to $2.02B in 2025, accounting for 76% of all stolen funds. #CyberSecurity #Cryptocurrency #NorthKorea #LazarusGroup #CryptoTheft Link: thedailytechfeed.com/north-korean...

How to Use MCP to Optimize Your Graylog Security Detections Use Model Context Protocol (MCP) with Graylog to turn threat intelligence into prioritized, actionable security detections in seconds.

Is your #finserv institution as safe as it could be from #ransomware & other #cyberthreats? Groups like #FIN7, #LazarusGroup & #Carbanak often target #banks with attacks like SWIFT compromises. 🏦

But have no fear, #Graylog + Model Context Protocol are here to help! 🦸 💪

graylog.org/post/how-to-...

"Researchers Capture Lazarus APT's Remote-Worker Scheme Live on Camera"

#CyberSecurity #LazarusGroup #LaptopFarms #ITrecruitment #Pattern ... thehackernews.com/2025/12/rese...

Unveiling the Lazarus Group's covert infiltration tactics: Live surveillance captures North Korean operatives embedding into Western firms via identity theft and AI-driven job automation. #CyberSecurity #LazarusGroup #ThreatIntel Link: thedailytechfeed.com/researchers-...

Cybersecurity experts expose Lazarus Group's remote-worker infiltration tactics. Learn how to protect your organization from identity-based threats. #CyberSecurity #LazarusGroup #RemoteWork Link: thedailytechfeed.com/lazarus-grou...

North Korea lures engineers to rent identities in fake IT worker scheme In an unprecedented intelligence operation, security researchers exposed how North Korean IT recruiters target and lure developers into renting their identities for illicit fundraising.

North Korea lures engineers to rent identities in fake IT worker scheme
#NorthKorea #LazarusGroup #dprk

N. Korean hacking group Lazarus behind 31 attacks over past year - Yes Punjab News Lazarus Group is linked to 31 cyberattacks and suspected in Upbit’s ₩45B crypto breach, according to a new AhnLab report.

N. Korean hacking group Lazarus behind 31 attacks over past year yespunjab.com?p=187038

#LazarusGroup #CyberAttack #UpbitHack #NorthKoreaHacking #AhnLab #Kimsuky #CryptoSecurity #BlockchainSecurity #SouthKorea #APTGroup #CyberThreats #CryptoNews

BREAKING: Upbit hit by a $30M hack — and investigators say the fingerprints match North Korea’s Lazarus Group again.

Solana assets drained. Transactions frozen. Users to be reimbursed.

Nation-state hacking is the new crypto threat. 👀🔥
#CryptoNews #UpbitHack #LazarusGroup #CyberSecurity #SolanaHack

Upbit Hacked For $30M, Suspected Lazarus Group Attack Sparks Security Alarms - Upbit has been hacked for $30M in crypto, reportedly by the Lazarus Group. Over 20 tokens stolen as the exchange pledges full user compensation and tighter security.

Upbit has been hacked for $30M in crypto, with authorities suspecting the Lazarus Group.
#UpbitHack #CryptoSecurity #LazarusGroup #Solana #UPbit

cryptosnewss.com/upbit-hacked...

Alert: The Lazarus Group has unveiled ScoringMathTea, a sophisticated RAT targeting UAV tech firms. Stay vigilant against advanced cyber threats. #CyberSecurity #LazarusGroup #ScoringMathTea Link: thedailytechfeed.com/lazarus-grou...

Australia Strikes Back: Sanctions Target Lazarus Group Over $1.9B Crypto Heist - Crypto Economy Australia has taken firm action against North Korean state-linked hackers following a series of high-profile cryptocurrency thefts that affected fintech

💣 Australia targets Lazarus Group in crypto theft crackdown

Australia hits the Lazarus Group with sanctions after the group stole around $1.9 billion in crypto assets.

#LazarusGroup #Crypto #Sanctions #Security #Australia