GraphAlgo Scam: Lazarus Hackers Register Real US LLCs and Typosquat GitHub Repos to Distribute Malware to Developers
What Happened — North‑Korean Lazarus actors created legitimate Florida LLCs that masquerade as the SWFT Blockchain platform. They then registered typo‑squatted GitHub repositories (e.g., “swft‑blockchain”) and seeded them with malicious payloads aimed at software developers.
Why It Matters for TPRM —
- Demonstrates how nation‑state actors can weaponize seemingly legitimate third‑party entities to infiltrate development pipelines.
- Highlights the risk of open‑source supply‑chain attacks that bypass traditional perimeter controls.
- Forces organizations to reassess vendor verification and code‑origin validation processes.
Who Is Affected — Technology and SaaS firms, blockchain and cryptocurrency platforms, development teams that consume open‑source libraries, and any organization that integrates third‑party code from public repositories.
Recommended Actions —
- Conduct an inventory of all third‑party code sources and enforce strict provenance checks.
- Deploy automated monitoring for typo‑squatted repositories and anomalous domain registrations.
- Require code‑signing and reproducible builds for critical components.
- Update vendor due‑diligence questionnaires to include verification of corporate registration and public‑facing identities.
Technical Notes — Attack vector: typo‑squatting on GitHub combined with social engineering via real US LLCs; no known CVE. Malware delivered through compromised repository assets (e.g., npm, PyPI packages) targeting developers’ local environments. Source: HackRead