North Korea Is Now Hacking You During the Job Interview

January was the worst month for layoffs since 2009. A lot of people are out there looking for work right now. Now they have this to worry about:

North Korea is cooking both sides of the job market.

We’ve already covered how North Korean operators are getting hired into remote roles under fake identities. They convince companies to ship corporate laptops to “Arizona” or “Tennessee,” when in reality the device lands in a laptop farm. From there, remote desktop software gets installed and access is handed over to operators overseas. They collect a salary, steal data, and once caught or fired, they extort the company on the way out.

The FBI has been tracking this for years. Hundreds of companies have fallen for it.

But now there’s another layer.

According to new research from ReversingLabs, a Lazarus-linked campaign is targeting job seekers directly - especially developers in Web3 and crypto.

They create a legitimate-looking company, Veltrix Capital in this case. They register domains early, build GitHub repos, seed Reddit posts, then run LinkedIn outreach. They even post in Facebook hiring groups. The recruiter profiles may be fake or in some cases possibly real recruiters hired unknowingly. The breadcrumbs are good enough to pass casual research.

Then you apply and land a technical interview.

They hand you a coding task in Python or JavaScript and you download a GitHub repo. The code looks normal and the project itself isn’t malicious.

The malware hides in the dependencies.

Instead of embedding obvious malicious code, they hide payloads inside NPM or PyPI packages referenced in the project. Packages like “graph-algo” or “graph-networkx.” Nothing screams malicious. Many imitate legitimate packages. Some even function correctly while quietly delivering a payload.

People are falling for it: One malicious package in this campaign saw more than 10,000 downloads.

The payload is a remote access trojan.

Once installed, it can:

• Collect system information

• Enumerate processes

• Upload and download files

• Create, rename, and delete directories

• Search for crypto wallet extensions

• Exfiltrate sensitive data

If you’re in crypto, that’s the jackpot. Lazarus has stolen $2–3 billion in cryptocurrency annually in recent years. This campaign has their fingerprints all over it.

And they’re evolving.

Some packages are initially clean to build trust and download volume. After adoption, a malicious version is published. If your package.json references “latest,” you automatically pull the compromised version when it updates. That’s not carelessness—that’s patience paying off for the attacker.

This campaign is also leveraging AI. Google Threat Intelligence recently reported that adversaries are using AI to generate more convincing recruiter profiles, job postings, and compensation expectations tailored to specific geographies. The language reads naturally, the roles make sense and the salary bands look right.

That’s the point.

Not a developer? You’re not safe, either. There’s a parallel tactic: fake Zoom updates during interviews. “We’re having audio issues - can you install this update quickly?”

This is hard to spot. If you fall for it, don’t beat yourself up. When you’re emotionally compromised from job hunting during layoffs and the lure looks legitimate, anyone can get hooked.

But there are defensive moves:

• Don’t install new dependencies less than 5–7 days old.

• Pin package versions instead of referencing “latest.”

• Consider scanning packages with tools like Socket.

• Research companies beyond surface-level breadcrumbs.

• Separate crypto activity from your primary interview machine.

• Use a VM for technical interviews when possible.

This campaign is active. New malicious versions were published as recently as February 11.

The job market is hard enough right now. You shouldn’t have to worry about getting hacked while trying to get hired.

But you do.

Share this with anyone job hunting, especially developers and anyone sitting on crypto wallets.