{ "type": "bundle", "id": "bundle--2f12622e-f1c2-4b5b-aa4f-44edfd3feac3", "spec_version": "2.1", "objects": [ { "type": "threat-actor", "id": "threat-actor--ed4599e9-27ab-4f37-a647-c5ae301a21ee", "created": "2026-02-17T11:39:28.000Z", "modified": "2026-02-17T11:39:28.000Z", "name": "Lazarus Group", "description": "North Korean state-sponsored APT group conducting fake recruiter campaigns targeting cryptocurrency developers", "threat_actor_types": [ "nation-state" ], "aliases": [ "Lazarus", "HIDDEN COBRA", "Zinc" ], "sophistication": "advanced", "resource_level": "government", "primary_motivation": "organizational-gain" }, { "type": "campaign", "id": "campaign--761a8874-2ff4-4b97-9dd1-1e86bd8dccf6", "created": "2026-02-17T11:39:28.000Z", "modified": "2026-02-17T11:39:28.000Z", "name": "graphalgo", "description": "Fake recruiter campaign targeting cryptocurrency developers with malicious npm and PyPI packages. Developers are approached via LinkedIn, Facebook, and Reddit with fake job offers.", "first_seen": "2025-05-01T00:00:00.000Z", "last_seen": "2026-02-17T00:00:00.000Z", "objective": "Deploy remote access trojan (RAT) on cryptocurrency developer workstations to steal credentials and cryptocurrency funds" }, { "type": "malware", "id": "malware--4787aa57-c60e-4931-9f6d-5575114f044e", "created": "2026-02-17T11:39:28.000Z", "modified": "2026-02-17T11:39:28.000Z", "name": "graphalgo RAT", "description": "Multi-language remote access trojan (JavaScript, Python, VBScript) with C2 communication, file operations, and Metamask extension detection", "malware_types": [ "remote-access-trojan" ], "is_family": true, "capabilities": [ "command-and-control", "exfiltrates-data", "communicates-with-c2" ] }, { "type": "indicator", "id": "indicator--1a714988-adce-4eb7-a86a-8b6fe02d0645", "created": "2026-02-17T11:39:28.000Z", "modified": "2026-02-17T11:39:28.000Z", "name": "C2 Domain: codepool.cloud", "description": "Command and Control server used by Lazarus graphalgo campaign", "indicator_types": [ "malicious-activity" ], "pattern": "[domain-name:value = 'codepool.cloud']", "pattern_type": "stix", "valid_from": "2026-02-17T11:39:28.000Z", "confidence": 85 }, { "type": "indicator", "id": "indicator--96c58582-aee5-41b1-bbe8-661aaff5361d", "created": "2026-02-17T11:39:28.000Z", "modified": "2026-02-17T11:39:28.000Z", "name": "C2 Domain: aurevian.cloud", "description": "Command and Control server used by Lazarus graphalgo campaign", "indicator_types": [ "malicious-activity" ], "pattern": "[domain-name:value = 'aurevian.cloud']", "pattern_type": "stix", "valid_from": "2026-02-17T11:39:28.000Z", "confidence": 85 }, { "type": "indicator", "id": "indicator--f05dafec-e33d-4b07-86cd-3691a41f2640", "created": "2026-02-17T11:39:28.000Z", "modified": "2026-02-17T11:39:28.000Z", "name": "RAT Payload (Python)", "description": "Final stage remote access trojan written in Python", "indicator_types": [ "malicious-activity" ], "pattern": "[file:hashes.SHA1 = '052c278f727292d779e9cf2465c9065a55b49546']", "pattern_type": "stix", "valid_from": "2026-02-17T11:39:28.000Z", "confidence": 95 }, { "type": "indicator", "id": "indicator--2af13a94-64ce-4007-aea6-b7c8e5bf8c29", "created": "2026-02-17T11:39:28.000Z", "modified": "2026-02-17T11:39:28.000Z", "name": "RAT Payload (JavaScript)", "description": "Final stage remote access trojan written in JavaScript", "indicator_types": [ "malicious-activity" ], "pattern": "[file:hashes.SHA1 = 'e5af589fcd2bfb7093dd10274161a3c0de42057f']", "pattern_type": "stix", "valid_from": "2026-02-17T11:39:28.000Z", "confidence": 95 }, { "type": "indicator", "id": "indicator--70853391-3408-4274-b6bf-66fd90a8daaf", "created": "2026-02-17T11:39:28.000Z", "modified": "2026-02-17T11:39:28.000Z", "name": "RAT Payload (VBS)", "description": "Final stage remote access trojan written in VBS", "indicator_types": [ "malicious-activity" ], "pattern": "[file:hashes.SHA1 = 'dbb4031e9bb8f8821a5758a6c308932b88599f18']", "pattern_type": "stix", "valid_from": "2026-02-17T11:39:28.000Z", "confidence": 95 }, { "type": "indicator", "id": "indicator--5b36e339-fd4a-4b20-97fe-50ac104ca5d7", "created": "2026-02-17T11:39:28.000Z", "modified": "2026-02-17T11:39:28.000Z", "name": "Malicious npm package: graphalgo@2.2.5-pre", "description": "Malicious npm package graphalgo version 2.2.5-pre part of Lazarus graphalgo campaign", "indicator_types": [ "malicious-activity" ], "pattern": "[file:hashes.SHA1 = 'a9c1d537ae937580a51293008d78dd507355ee0c']", "pattern_type": "stix", "valid_from": "2026-02-17T11:39:28.000Z", "confidence": 90, "labels": [ "npm", "supply-chain", "graphalgo" ] }, { "type": "indicator", "id": "indicator--4745c949-f3ba-44a2-a2a0-e98732cf33f2", "created": "2026-02-17T11:39:28.000Z", "modified": "2026-02-17T11:39:28.000Z", "name": "Malicious npm package: graphalgo@2.2.6", "description": "Malicious npm package graphalgo version 2.2.6 part of Lazarus graphalgo campaign", "indicator_types": [ "malicious-activity" ], "pattern": "[file:hashes.SHA1 = '492c45688dc1e568d01693c724d3ef562a95680a']", "pattern_type": "stix", "valid_from": "2026-02-17T11:39:28.000Z", "confidence": 90, "labels": [ "npm", "supply-chain", "graphalgo" ] }, { "type": "indicator", "id": "indicator--750d61b3-c22d-41c5-91c4-0eac409732ed", "created": "2026-02-17T11:39:28.000Z", "modified": "2026-02-17T11:39:28.000Z", "name": "Malicious npm package: graphalgo@2.2.7", "description": "Malicious npm package graphalgo version 2.2.7 part of Lazarus graphalgo campaign", "indicator_types": [ "malicious-activity" ], "pattern": "[file:hashes.SHA1 = '43d2a634a90e168ccadac47f50769a2a6a98416e']", "pattern_type": "stix", "valid_from": "2026-02-17T11:39:28.000Z", "confidence": 90, "labels": [ "npm", "supply-chain", "graphalgo" ] }, { "type": "indicator", "id": "indicator--ac8a9436-1d35-4606-9a97-bb19cabc53e9", "created": "2026-02-17T11:39:28.000Z", "modified": "2026-02-17T11:39:28.000Z", "name": "Malicious npm package: graphalgo@2.2.8", "description": "Malicious npm package graphalgo version 2.2.8 part of Lazarus graphalgo campaign", "indicator_types": [ "malicious-activity" ], "pattern": "[file:hashes.SHA1 = '2283aefe0d59b37af0ce86465b0e770d0ffc364b']", "pattern_type": "stix", "valid_from": "2026-02-17T11:39:28.000Z", "confidence": 90, "labels": [ "npm", "supply-chain", "graphalgo" ] }, { "type": "indicator", "id": "indicator--68e2936c-05af-4ed7-8498-9aefe66e491a", "created": "2026-02-17T11:39:28.000Z", "modified": "2026-02-17T11:39:28.000Z", "name": "Malicious npm package: graphalgo@2.2.9", "description": "Malicious npm package graphalgo version 2.2.9 part of Lazarus graphalgo campaign", "indicator_types": [ "malicious-activity" ], "pattern": "[file:hashes.SHA1 = 'ff388fd9a3e85af541949f2087bf09e276a3d75f']", "pattern_type": "stix", "valid_from": "2026-02-17T11:39:28.000Z", "confidence": 90, "labels": [ "npm", "supply-chain", "graphalgo" ] }, { "type": "indicator", "id": "indicator--eec8bf20-c950-47f3-bd5a-6dee180ef448", "created": "2026-02-17T11:39:28.000Z", "modified": "2026-02-17T11:39:28.000Z", "name": "Malicious npm package: graphalgo@2.2.10", "description": "Malicious npm package graphalgo version 2.2.10 part of Lazarus graphalgo campaign", "indicator_types": [ "malicious-activity" ], "pattern": "[file:hashes.SHA1 = '8b425247a84d9e506952e2c913393c9ecdab399f']", "pattern_type": "stix", "valid_from": "2026-02-17T11:39:28.000Z", "confidence": 90, "labels": [ "npm", "supply-chain", "graphalgo" ] }, { "type": "indicator", "id": "indicator--1404f7cc-a949-4a0a-85fb-61142c7ac0f9", "created": "2026-02-17T11:39:28.000Z", "modified": "2026-02-17T11:39:28.000Z", "name": "Malicious npm package: graphalgo@2.2.11", "description": "Malicious npm package graphalgo version 2.2.11 part of Lazarus graphalgo campaign", "indicator_types": [ "malicious-activity" ], "pattern": "[file:hashes.SHA1 = 'b55921f502ec6839b08545a582a4291eaf3d902c']", "pattern_type": "stix", "valid_from": "2026-02-17T11:39:28.000Z", "confidence": 90, "labels": [ "npm", "supply-chain", "graphalgo" ] }, { "type": "indicator", "id": "indicator--be1c0160-4364-42cf-9fbb-5d5825ceec9e", "created": "2026-02-17T11:39:28.000Z", "modified": "2026-02-17T11:39:28.000Z", "name": "Malicious npm package: graphnetworkx@2.2.6", "description": "Malicious npm package graphnetworkx version 2.2.6 part of Lazarus graphalgo campaign", "indicator_types": [ "malicious-activity" ], "pattern": "[file:hashes.SHA1 = '784b3cda328a49bc6ba5d20be03d7bd76db41917']", "pattern_type": "stix", "valid_from": "2026-02-17T11:39:28.000Z", "confidence": 90, "labels": [ "npm", "supply-chain", "graphnetworkx" ] }, { "type": "indicator", "id": "indicator--60bbfab1-ecb3-4f0a-8569-235e3fb09cba", "created": "2026-02-17T11:39:28.000Z", "modified": "2026-02-17T11:39:28.000Z", "name": "Malicious npm package: graphnetworkx@2.2.7", "description": "Malicious npm package graphnetworkx version 2.2.7 part of Lazarus graphalgo campaign", "indicator_types": [ "malicious-activity" ], "pattern": "[file:hashes.SHA1 = '5f71af195874a7a582c523fe020c0ed183d9b083']", "pattern_type": "stix", "valid_from": "2026-02-17T11:39:28.000Z", "confidence": 90, "labels": [ "npm", "supply-chain", "graphnetworkx" ] }, { "type": "indicator", "id": "indicator--7fbdeece-67a4-44be-8278-2572e06f1cde", "created": "2026-02-17T11:39:28.000Z", "modified": "2026-02-17T11:39:28.000Z", "name": "Malicious npm package: graphnetworkx@2.2.8", "description": "Malicious npm package graphnetworkx version 2.2.8 part of Lazarus graphalgo campaign", "indicator_types": [ "malicious-activity" ], "pattern": "[file:hashes.SHA1 = 'b1d6b677917221673dc7e419c535600c129931fb']", "pattern_type": "stix", "valid_from": "2026-02-17T11:39:28.000Z", "confidence": 90, "labels": [ "npm", "supply-chain", "graphnetworkx" ] }, { "type": "indicator", "id": "indicator--2841e09a-4208-41c5-bc82-fe89e0307650", "created": "2026-02-17T11:39:28.000Z", "modified": "2026-02-17T11:39:28.000Z", "name": "Malicious npm package: graphnetworkx@2.2.9", "description": "Malicious npm package graphnetworkx version 2.2.9 part of Lazarus graphalgo campaign", "indicator_types": [ "malicious-activity" ], "pattern": "[file:hashes.SHA1 = '70db64caa7070b5a2abaf842fa663586525de644']", "pattern_type": "stix", "valid_from": "2026-02-17T11:39:28.000Z", "confidence": 90, "labels": [ "npm", "supply-chain", "graphnetworkx" ] }, { "type": "indicator", "id": "indicator--fe5b11aa-146d-42e2-8957-9e67aa803092", "created": "2026-02-17T11:39:28.000Z", "modified": "2026-02-17T11:39:28.000Z", "name": "Malicious npm package: graphmatrix@2.2.6", "description": "Malicious npm package graphmatrix version 2.2.6 part of Lazarus graphalgo campaign", "indicator_types": [ "malicious-activity" ], "pattern": "[file:hashes.SHA1 = '3e14c0ca61c51b399c6a3426c77a3376c33afc69']", "pattern_type": "stix", "valid_from": "2026-02-17T11:39:28.000Z", "confidence": 90, "labels": [ "npm", "supply-chain", "graphmatrix" ] }, { "type": "indicator", "id": "indicator--d67d122b-ba77-4fcc-90b3-86efb1572295", "created": "2026-02-17T11:39:28.000Z", "modified": "2026-02-17T11:39:28.000Z", "name": "Malicious npm package: graphmatrix@2.2.7", "description": "Malicious npm package graphmatrix version 2.2.7 part of Lazarus graphalgo campaign", "indicator_types": [ "malicious-activity" ], "pattern": "[file:hashes.SHA1 = 'c7141b43dd62c712cc625cd5e9f27ea6fd34955d']", "pattern_type": "stix", "valid_from": "2026-02-17T11:39:28.000Z", "confidence": 90, "labels": [ "npm", "supply-chain", "graphmatrix" ] }, { "type": "indicator", "id": "indicator--9c363162-efcc-4dea-8bd1-d20be76c8887", "created": "2026-02-17T11:39:28.000Z", "modified": "2026-02-17T11:39:28.000Z", "name": "Malicious npm package: graphmatrix@2.2.8", "description": "Malicious npm package graphmatrix version 2.2.8 part of Lazarus graphalgo campaign", "indicator_types": [ "malicious-activity" ], "pattern": "[file:hashes.SHA1 = 'ed4e8c98a71e9763d23d0275f17ad2712c327944']", "pattern_type": "stix", "valid_from": "2026-02-17T11:39:28.000Z", "confidence": 90, "labels": [ "npm", "supply-chain", "graphmatrix" ] }, { "type": "indicator", "id": "indicator--f5f704ea-fdf6-4dc1-85b3-32de6a2f0ff1", "created": "2026-02-17T11:39:28.000Z", "modified": "2026-02-17T11:39:28.000Z", "name": "Malicious npm package: graphutils@2.2.6", "description": "Malicious npm package graphutils version 2.2.6 part of Lazarus graphalgo campaign", "indicator_types": [ "malicious-activity" ], "pattern": "[file:hashes.SHA1 = '254ef870c2e48a15ffc577a6bc9a3de7c68099ce']", "pattern_type": "stix", "valid_from": "2026-02-17T11:39:28.000Z", "confidence": 90, "labels": [ "npm", "supply-chain", "graphutils" ] }, { "type": "indicator", "id": "indicator--549f76fd-ed5f-4492-8114-029cab914882", "created": "2026-02-17T11:39:28.000Z", "modified": "2026-02-17T11:39:28.000Z", "name": "Malicious npm package: graphutils@2.2.7", "description": "Malicious npm package graphutils version 2.2.7 part of Lazarus graphalgo campaign", "indicator_types": [ "malicious-activity" ], "pattern": "[file:hashes.SHA1 = '9b9ec71e1aae94a29487e9936985f71ce18010f9']", "pattern_type": "stix", "valid_from": "2026-02-17T11:39:28.000Z", "confidence": 90, "labels": [ "npm", "supply-chain", "graphutils" ] }, { "type": "indicator", "id": "indicator--4eb5d39b-abb2-4d6d-9ca8-1e4bb69b4973", "created": "2026-02-17T11:39:28.000Z", "modified": "2026-02-17T11:39:28.000Z", "name": "Malicious npm package: graphutils@2.2.8", "description": "Malicious npm package graphutils version 2.2.8 part of Lazarus graphalgo campaign", "indicator_types": [ "malicious-activity" ], "pattern": "[file:hashes.SHA1 = '2dcd9901fa0743f8dc35597c2d027a5ef6804c2f']", "pattern_type": "stix", "valid_from": "2026-02-17T11:39:28.000Z", "confidence": 90, "labels": [ "npm", "supply-chain", "graphutils" ] }, { "type": "indicator", "id": "indicator--a19347fc-4335-4dcf-bfa5-6c1474d21f4b", "created": "2026-02-17T11:39:28.000Z", "modified": "2026-02-17T11:39:28.000Z", "name": "Malicious npm package: graphutils@2.2.9", "description": "Malicious npm package graphutils version 2.2.9 part of Lazarus graphalgo campaign", "indicator_types": [ "malicious-activity" ], "pattern": "[file:hashes.SHA1 = 'e1cb6f690371fa76f3d062a80054e18d6b02461e']", "pattern_type": "stix", "valid_from": "2026-02-17T11:39:28.000Z", "confidence": 90, "labels": [ "npm", "supply-chain", "graphutils" ] }, { "type": "indicator", "id": "indicator--d9c8b27f-f43a-44f7-b6cb-6b92ee47d850", "created": "2026-02-17T11:39:28.000Z", "modified": "2026-02-17T11:39:28.000Z", "name": "Malicious npm package: graphutils@2.2.10", "description": "Malicious npm package graphutils version 2.2.10 part of Lazarus graphalgo campaign", "indicator_types": [ "malicious-activity" ], "pattern": "[file:hashes.SHA1 = '29f31fac84020d647af1961547638b6be51651aa']", "pattern_type": "stix", "valid_from": "2026-02-17T11:39:28.000Z", "confidence": 90, "labels": [ "npm", "supply-chain", "graphutils" ] }, { "type": "indicator", "id": "indicator--11589df9-597d-4119-8479-cb5b0af308d4", "created": "2026-02-17T11:39:28.000Z", "modified": "2026-02-17T11:39:28.000Z", "name": "Malicious npm package: graphutils@2.2.11", "description": "Malicious npm package graphutils version 2.2.11 part of Lazarus graphalgo campaign", "indicator_types": [ "malicious-activity" ], "pattern": "[file:hashes.SHA1 = '89b41008256e7684ba798e0edb27619e7c35c4d7']", "pattern_type": "stix", "valid_from": "2026-02-17T11:39:28.000Z", "confidence": 90, "labels": [ "npm", "supply-chain", "graphutils" ] }, { "type": "indicator", "id": "indicator--d10ae869-1ecc-443d-8130-b51086230bcc", "created": "2026-02-17T11:39:28.000Z", "modified": "2026-02-17T11:39:28.000Z", "name": "Malicious PyPI package: graphnetworkx@3.5.1rc0.dev0", "description": "Malicious PyPI package graphnetworkx version 3.5.1rc0.dev0 part of Lazarus graphalgo campaign", "indicator_types": [ "malicious-activity" ], "pattern": "[file:hashes.SHA1 = 'a98c0377f80f04a3a7cf044d5abe515654520183']", "pattern_type": "stix", "valid_from": "2026-02-17T11:39:28.000Z", "confidence": 90, "labels": [ "pypi", "supply-chain", "graphnetworkx" ] }, { "type": "indicator", "id": "indicator--f45c5fff-1588-4f1a-a203-a3c5d573b25d", "created": "2026-02-17T11:39:28.000Z", "modified": "2026-02-17T11:39:28.000Z", "name": "Malicious PyPI package: graphnetworkx@3.5.1rc0.dev0", "description": "Malicious PyPI package graphnetworkx version 3.5.1rc0.dev0 part of Lazarus graphalgo campaign", "indicator_types": [ "malicious-activity" ], "pattern": "[file:hashes.SHA1 = '6230fc3006ecda4899bb9621ef2cf95b78f54a0a']", "pattern_type": "stix", "valid_from": "2026-02-17T11:39:28.000Z", "confidence": 90, "labels": [ "pypi", "supply-chain", "graphnetworkx" ] }, { "type": "indicator", "id": "indicator--dc22ec23-1644-4591-8545-a92ac777df46", "created": "2026-02-17T11:39:28.000Z", "modified": "2026-02-17T11:39:28.000Z", "name": "Malicious PyPI package: graphnetworkx@3.5.2", "description": "Malicious PyPI package graphnetworkx version 3.5.2 part of Lazarus graphalgo campaign", "indicator_types": [ "malicious-activity" ], "pattern": "[file:hashes.SHA1 = 'a8df8cb07bac3c2f6434a21beb58e45f73ab66b2']", "pattern_type": "stix", "valid_from": "2026-02-17T11:39:28.000Z", "confidence": 90, "labels": [ "pypi", "supply-chain", "graphnetworkx" ] }, { "type": "indicator", "id": "indicator--e4f1266e-4932-4d82-9716-1dc6335bd00e", "created": "2026-02-17T11:39:28.000Z", "modified": "2026-02-17T11:39:28.000Z", "name": "Malicious PyPI package: graphnetworkx@3.5.2", "description": "Malicious PyPI package graphnetworkx version 3.5.2 part of Lazarus graphalgo campaign", "indicator_types": [ "malicious-activity" ], "pattern": "[file:hashes.SHA1 = '142268facd71d20feabea97f8867cb505306e26d']", "pattern_type": "stix", "valid_from": "2026-02-17T11:39:28.000Z", "confidence": 90, "labels": [ "pypi", "supply-chain", "graphnetworkx" ] }, { "type": "indicator", "id": "indicator--afe2a4d8-08fc-4739-b60a-1718a85612d4", "created": "2026-02-17T11:39:28.000Z", "modified": "2026-02-17T11:39:28.000Z", "name": "Malicious PyPI package: graphnetworkx@3.5.3", "description": "Malicious PyPI package graphnetworkx version 3.5.3 part of Lazarus graphalgo campaign", "indicator_types": [ "malicious-activity" ], "pattern": "[file:hashes.SHA1 = 'cd332731273e93769cc28dde5a02814c027e1b77']", "pattern_type": "stix", "valid_from": "2026-02-17T11:39:28.000Z", "confidence": 90, "labels": [ "pypi", "supply-chain", "graphnetworkx" ] }, { "type": "indicator", "id": "indicator--655f5cad-9789-4400-86ad-42dc38330145", "created": "2026-02-17T11:39:28.000Z", "modified": "2026-02-17T11:39:28.000Z", "name": "Malicious PyPI package: graphnetworkx@3.5.3", "description": "Malicious PyPI package graphnetworkx version 3.5.3 part of Lazarus graphalgo campaign", "indicator_types": [ "malicious-activity" ], "pattern": "[file:hashes.SHA1 = '091de0f6c0a7d4713c83819a538a553ad2e3bb73']", "pattern_type": "stix", "valid_from": "2026-02-17T11:39:28.000Z", "confidence": 90, "labels": [ "pypi", "supply-chain", "graphnetworkx" ] }, { "type": "indicator", "id": "indicator--f3aef46a-f6ce-4543-a14e-ac9cc587d82a", "created": "2026-02-17T11:39:28.000Z", "modified": "2026-02-17T11:39:28.000Z", "name": "Malicious PyPI package: graphnetworkx@3.5.5", "description": "Malicious PyPI package graphnetworkx version 3.5.5 part of Lazarus graphalgo campaign", "indicator_types": [ "malicious-activity" ], "pattern": "[file:hashes.SHA1 = '3fbea692a0c549dc711e9ad2aa016fad6fea68e5']", "pattern_type": "stix", "valid_from": "2026-02-17T11:39:28.000Z", "confidence": 90, "labels": [ "pypi", "supply-chain", "graphnetworkx" ] }, { "type": "indicator", "id": "indicator--b937f9e8-2d18-44c8-a98b-15a23608bac3", "created": "2026-02-17T11:39:28.000Z", "modified": "2026-02-17T11:39:28.000Z", "name": "Malicious PyPI package: graphnetworkx@3.5.5", "description": "Malicious PyPI package graphnetworkx version 3.5.5 part of Lazarus graphalgo campaign", "indicator_types": [ "malicious-activity" ], "pattern": "[file:hashes.SHA1 = '756a14ca3baf5ccfc18b2316d52d7fe98e31dfef']", "pattern_type": "stix", "valid_from": "2026-02-17T11:39:28.000Z", "confidence": 90, "labels": [ "pypi", "supply-chain", "graphnetworkx" ] }, { "type": "indicator", "id": "indicator--9bfcbd1c-d78b-4165-9689-0a18ecf7c133", "created": "2026-02-17T11:39:28.000Z", "modified": "2026-02-17T11:39:28.000Z", "name": "Malicious PyPI package: graphnetworkx@3.5.6", "description": "Malicious PyPI package graphnetworkx version 3.5.6 part of Lazarus graphalgo campaign", "indicator_types": [ "malicious-activity" ], "pattern": "[file:hashes.SHA1 = '4dab7e9201a431495b3babb165b0e5362287b178']", "pattern_type": "stix", "valid_from": "2026-02-17T11:39:28.000Z", "confidence": 90, "labels": [ "pypi", "supply-chain", "graphnetworkx" ] }, { "type": "indicator", "id": "indicator--ec537f30-ce7a-43c6-94a9-a3d7a1959773", "created": "2026-02-17T11:39:28.000Z", "modified": "2026-02-17T11:39:28.000Z", "name": "Malicious PyPI package: graphnetworkx@3.5.6", "description": "Malicious PyPI package graphnetworkx version 3.5.6 part of Lazarus graphalgo campaign", "indicator_types": [ "malicious-activity" ], "pattern": "[file:hashes.SHA1 = 'd15ea1735d6b057884faaa90afa46c8ee0be5927']", "pattern_type": "stix", "valid_from": "2026-02-17T11:39:28.000Z", "confidence": 90, "labels": [ "pypi", "supply-chain", "graphnetworkx" ] }, { "type": "indicator", "id": "indicator--406b55a8-6c30-4262-97a0-c2f9b16a19e1", "created": "2026-02-17T11:39:28.000Z", "modified": "2026-02-17T11:39:28.000Z", "name": "Malicious PyPI package: graphnetworkx@3.5.7", "description": "Malicious PyPI package graphnetworkx version 3.5.7 part of Lazarus graphalgo campaign", "indicator_types": [ "malicious-activity" ], "pattern": "[file:hashes.SHA1 = '763907bf89983b36d2161153d91c7f313822bec8']", "pattern_type": "stix", "valid_from": "2026-02-17T11:39:28.000Z", "confidence": 90, "labels": [ "pypi", "supply-chain", "graphnetworkx" ] }, { "type": "indicator", "id": "indicator--c95929e2-d7ac-4c83-9df0-80edb3ccee89", "created": "2026-02-17T11:39:28.000Z", "modified": "2026-02-17T11:39:28.000Z", "name": "Malicious PyPI package: graphnetworkx@3.5.7", "description": "Malicious PyPI package graphnetworkx version 3.5.7 part of Lazarus graphalgo campaign", "indicator_types": [ "malicious-activity" ], "pattern": "[file:hashes.SHA1 = 'ab827c68d4be6002385b9008fc89eef4e04c6912']", "pattern_type": "stix", "valid_from": "2026-02-17T11:39:28.000Z", "confidence": 90, "labels": [ "pypi", "supply-chain", "graphnetworkx" ] }, { "type": "indicator", "id": "indicator--2eb91278-20be-4b2f-87dd-3792a7d5772f", "created": "2026-02-17T11:39:28.000Z", "modified": "2026-02-17T11:39:28.000Z", "name": "Malicious PyPI package: graphnetworkx@3.5.8", "description": "Malicious PyPI package graphnetworkx version 3.5.8 part of Lazarus graphalgo campaign", "indicator_types": [ "malicious-activity" ], "pattern": "[file:hashes.SHA1 = '99fa440b658412b5c2685c6df90cb0d3c4eb84a8']", "pattern_type": "stix", "valid_from": "2026-02-17T11:39:28.000Z", "confidence": 90, "labels": [ "pypi", "supply-chain", "graphnetworkx" ] }, { "type": "indicator", "id": "indicator--935a9347-ce7d-4951-aa5d-a0f2d7a8b732", "created": "2026-02-17T11:39:28.000Z", "modified": "2026-02-17T11:39:28.000Z", "name": "Malicious PyPI package: graphnetworkx@3.5.8", "description": "Malicious PyPI package graphnetworkx version 3.5.8 part of Lazarus graphalgo campaign", "indicator_types": [ "malicious-activity" ], "pattern": "[file:hashes.SHA1 = '3fe294dafca9a86961d2f426b76f327521e55c40']", "pattern_type": "stix", "valid_from": "2026-02-17T11:39:28.000Z", "confidence": 90, "labels": [ "pypi", "supply-chain", "graphnetworkx" ] }, { "type": "indicator", "id": "indicator--9d3a97b7-271f-4229-a275-4097d25ee624", "created": "2026-02-17T11:39:28.000Z", "modified": "2026-02-17T11:39:28.000Z", "name": "Malicious PyPI package: graphnetworkx@3.5.9", "description": "Malicious PyPI package graphnetworkx version 3.5.9 part of Lazarus graphalgo campaign", "indicator_types": [ "malicious-activity" ], "pattern": "[file:hashes.SHA1 = '3337794382593be3a8f324621406df073b85a170']", "pattern_type": "stix", "valid_from": "2026-02-17T11:39:28.000Z", "confidence": 90, "labels": [ "pypi", "supply-chain", "graphnetworkx" ] }, { "type": "indicator", "id": "indicator--180247f8-175d-4cec-8b07-65f1e9eb291a", "created": "2026-02-17T11:39:28.000Z", "modified": "2026-02-17T11:39:28.000Z", "name": "Malicious PyPI package: graphnetworkx@3.5.9", "description": "Malicious PyPI package graphnetworkx version 3.5.9 part of Lazarus graphalgo campaign", "indicator_types": [ "malicious-activity" ], "pattern": "[file:hashes.SHA1 = '134dfb95bd64b371b66b34b8f30ad2181938244d']", "pattern_type": "stix", "valid_from": "2026-02-17T11:39:28.000Z", "confidence": 90, "labels": [ "pypi", "supply-chain", "graphnetworkx" ] }, { "type": "indicator", "id": "indicator--af584019-81be-4471-a3eb-0410465ec513", "created": "2026-02-17T11:39:28.000Z", "modified": "2026-02-17T11:39:28.000Z", "name": "Malicious PyPI package: graphnetworkx@3.5.10", "description": "Malicious PyPI package graphnetworkx version 3.5.10 part of Lazarus graphalgo campaign", "indicator_types": [ "malicious-activity" ], "pattern": "[file:hashes.SHA1 = '06b9793ebe4805807f05b2f49a4b2f8161047f97']", "pattern_type": "stix", "valid_from": "2026-02-17T11:39:28.000Z", "confidence": 90, "labels": [ "pypi", "supply-chain", "graphnetworkx" ] }, { "type": "indicator", "id": "indicator--58f4b0cb-7481-41b9-8c70-8cf606626918", "created": "2026-02-17T11:39:28.000Z", "modified": "2026-02-17T11:39:28.000Z", "name": "Malicious PyPI package: graphnetworkx@3.5.10", "description": "Malicious PyPI package graphnetworkx version 3.5.10 part of Lazarus graphalgo campaign", "indicator_types": [ "malicious-activity" ], "pattern": "[file:hashes.SHA1 = '73951e3d352491ef40473df055b5c8b9cc2b1820']", "pattern_type": "stix", "valid_from": "2026-02-17T11:39:28.000Z", "confidence": 90, "labels": [ "pypi", "supply-chain", "graphnetworkx" ] }, { "type": "indicator", "id": "indicator--b2607fb0-8a35-4c9d-a05e-0c3112aaa7bc", "created": "2026-02-17T11:39:28.000Z", "modified": "2026-02-17T11:39:28.000Z", "name": "Malicious PyPI package: graphnetworkx@3.5.10", "description": "Malicious PyPI package graphnetworkx version 3.5.10 part of Lazarus graphalgo campaign", "indicator_types": [ "malicious-activity" ], "pattern": "[file:hashes.SHA1 = 'b899f364e788501bb4286ff379d5d155599fb35d']", "pattern_type": "stix", "valid_from": "2026-02-17T11:39:28.000Z", "confidence": 90, "labels": [ "pypi", "supply-chain", "graphnetworkx" ] }, { "type": "indicator", "id": "indicator--012026f8-2050-4fd3-bb28-a041630099db", "created": "2026-02-17T11:39:28.000Z", "modified": "2026-02-17T11:39:28.000Z", "name": "Malicious PyPI package: graphnetworkx@3.5.10", "description": "Malicious PyPI package graphnetworkx version 3.5.10 part of Lazarus graphalgo campaign", "indicator_types": [ "malicious-activity" ], "pattern": "[file:hashes.SHA1 = 'cd4884dc181a011c75405940172a994b7923daba']", "pattern_type": "stix", "valid_from": "2026-02-17T11:39:28.000Z", "confidence": 90, "labels": [ "pypi", "supply-chain", "graphnetworkx" ] }, { "type": "relationship", "id": "relationship--1d312278-9f8e-4ceb-b96b-d074d8369bea", "created": "2026-02-17T11:39:28.000Z", "modified": "2026-02-17T11:39:28.000Z", "relationship_type": "attributed-to", "source_ref": "campaign--761a8874-2ff4-4b97-9dd1-1e86bd8dccf6", "target_ref": "threat-actor--ed4599e9-27ab-4f37-a647-c5ae301a21ee" }, { "type": "relationship", "id": "relationship--498c29df-0fab-4fee-9626-b521ed51be1f", "created": "2026-02-17T11:39:28.000Z", "modified": "2026-02-17T11:39:28.000Z", "relationship_type": "uses", "source_ref": "campaign--761a8874-2ff4-4b97-9dd1-1e86bd8dccf6", "target_ref": "malware--4787aa57-c60e-4931-9f6d-5575114f044e" } ] }