ReversingLabs found the graphalgo fake recruiter-test campaign continuing with new fake blockchain companies and GitHub organizations designed to make malicious job assignments appear legitimate. The activity used recruiter personas, fake company infrastructure, LinkedIn profiles, and coding tasks to lure developers into running project setup commands that installed a downloader and the same RAT observed in earlier graphalgo operations. Newer branches shifted malicious dependency hosting away from npm and PyPI into GitHub release artifacts referenced deep inside package-lock.json files, including typosquatted repositories that imitate legitimate maintainers. The excerpt notes techniques associated with North Korean threat actors, including likely fake or stolen employee identities and GMT+9 timestamps in malicious repositories, while also linking the campaign’s targeting context to recent North Korea-attributed developer ecosystem operations. The tradecraft matters because it moves supply-chain delivery into places less heavily monitored than package registries and targets developers through believable job-interview workflows.