Lazarus Group activity in 2025 combines fake North Korean IT-worker placement, fraudulent recruiting and interview lures, and malicious open-source packages aimed at technology and cryptocurrency organizations. The excerpt links Operation 99/Contagious Interview to recruiter personas on LinkedIn, Telegram, and Calendly, malicious GitLab coding tests, NPM packages, fake Zoom executables, and malware such as InvisibleFerret, OtterCookie, and PyLangGhost. It also describes supply-chain risk from trojanized GitHub and PyPI packages, including a ByBit-related compromise that began through a malicious Docker project on a Safe{Wallet} developer machine before attacker-controlled code affected transaction flow. The material matters for SOC teams because the campaigns target developer access, authentication tokens, wallets, credentials, and cloud resources that can enable both direct theft and downstream compromise.