What is NICKEL ALLEY and how do they target tech jobs?

NICKEL ALLEY is a North Korean threat group using fake LinkedIn pages, job interviews, and GitHub repos to trick developers into running malware like PyLangGhost RAT.

How does PyLangGhost RAT infect via ClickFix?

Victims run a 'fix' command that downloads and executes scripts leading to the RAT, which steals crypto data and enables remote control.

Are fake job scams from North Korea getting worse?

Yes, with faster domain cycling and npm compromises, expect escalation into AI-enhanced interviews by 2026.

🌐 Nation-State Threats

North Korea's NICKEL ALLEY Fakes Tech Jobs to Slip PyLangGhost RAT onto Dev Machines

You're scrolling LinkedIn for that dream dev gig, click an interview link — boom, North Korean malware's rifling through your crypto extensions. NICKEL ALLEY's fake-it-till-you-make-it playbook is hitting tech workers hard.

theAIcatchup Apr 09, 2026 4 min read

NICKEL ALLEY ClickFix malware infection chain diagram from fake job assessment

⚡ Key Takeaways

NICKEL ALLEY uses 'ClickFix' in fake interviews to deploy PyLangGhost RAT, targeting tech pros' crypto wallets. 𝕏
Tactics include phony LinkedIn/GitHub setups and npm typosquatting, effective since mid-2025. 𝕏
Dev job seekers: Verify domains and payloads religiously — NK hackers exploit hiring desperation. 𝕏

Published by

theAIcatchup

Threat intelligence. Zero noise.

#NICKEL ALLEY #North Korea malware #PyLangGhost RAT #fake job interviews

Worth sharing?

Get the best Cybersecurity stories of the week in your inbox — no noise, no spam.

Originally reported by Sophos Threat Research

⚡ Key Takeaways

The 60-Second TL;DR

theAIcatchup

Share this article

Worth sharing?

Related Stories

Iran's Hidden Assault: 3,900 US PLCs Exposed in the Wild

North Korean Hackers Compromise Axios NPM Package, Deploying RAT Across Platforms

Iranian Hacktivists Light Up Chats as US-Israel Strikes Hit Iran

Iranian Hackers Stick to Cheap Tricks: Phishing, Sprays, and Lazy Patches

Stay in the loop