Malware , Security Operations , Threat Intelligence , Phishing Lazarus Group exploits npm and PyPI with fake recruitment campaign February 13, 2026 By SC Staff (Adobe Stock) As reported by The Hacker News, a sophisticated, multi-pronged attack campaign has been uncovered, targeting developers through malicious packages on npm and the Python Package Index (PyPI). The campaign, linked to the North Korea-backed Lazarus Group, utilizes a fake recruitment theme to lure unsuspecting victims. The Lazarus Group's operation, codenamed "graphalgo," began in May 2025. Threat actors impersonate recruiters on platforms like LinkedIn, Facebook, and Reddit, offering fake job opportunities at fictitious blockchain and cryptocurrency companies, such as Veltrix Capital. Developers are enticed to download code for assessments, which contain malicious dependencies hosted on npm and PyPI. Packages like "bigmathutils" on npm saw over 10,000 downloads before malicious versions were introduced. These packages deploy a remote access trojan (RAT) capable of stealing system information, manipulating files, and exfiltrating data. The RAT employs a token-based mechanism for command-and-control (C2) communication, a technique previously observed in campaigns linked to Jade Sleet. The malware also checks for the presence of the MetaMask browser extension, indicating a focus on cryptocurrency theft. Source: The Hacker News SC Staff Ransomware Sophisticated RustyRocket malware added to WorldLeaks ransomware’s arsenal SC Staff February 13, 2026 Infosecurity Magazine reports that more clandestine and persistent intrusions have been conducted by the WorldLeaks ransomware operation through the new advanced RustyRocket malware. Data Security LummaStealer surges with CastleLoader and ClickFix techniques SC Staff February 12, 2026 The current LummaStealer campaigns are heavily reliant on CastleLoader, a modular malware loader that executes payloads in memory with extensive obfuscation. Threat Management Foxveil malware loader abuses Discord, Cloudflare, Netlify for staging Laura French February 12, 2026 The loader uses a novel string mutation mechanism and in-memory execution to evade detection. Get daily email updates SC Media's daily must-read of the most current and pressing daily news Related Terms Account Harvesting Black Hat Botnet Brute Force Business Email Compromise (BEC) Corruption Darknet Domain Hijacking Fault Line Attacks Hybrid Attack You can skip this ad in 5 seconds