ReversingLabs links new malicious Python packages to VMConnect, a campaign previously associated with North Korea's Lazarus Group through Japan CERT research and code similarities. The activity targets developers through fake recruiter and coding-test lures hosted in GitHub projects, including archives such as Python_Skill_Assessment.zip and README instructions that push candidates to run the project before editing it. The malware hides downloader logic in compiled PYC files and matching plaintext Python files, giving the campaign a path to execute even when source files are not inspected. ReversingLabs also identified one compromised developer and observed attackers impersonating employees of major financial-services firms.