[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fsYxz4faL32cl_2L1Ukfr7xivAt9G08BOWsolO25ouZU":3},{"article":4,"iocs":59},{"id":5,"title":6,"slug":7,"summary":8,"ai_summary":9,"brief":10,"full_text":11,"url":12,"image_url":13,"published_at":14,"ingested_at":15,"relevance_score":16,"entities":17,"category_id":33,"category":34,"article_tags":38},"7e90895c-b27f-4f39-993a-f9b2407fe9f6","Lazarus Group Uses npm Brandjacking Campaign to Target Developers","lazarus-group-uses-npm-brandjacking-campaign-to-target-developers-b1da38","North Korean Lazarus Group targets npm developers with brandjacking packages that mimic trusted tools, drop malware and put credentials at risk.","North Korea's Lazarus Group is conducting a sophisticated brandjacking campaign against npm developers, distributing dozens of malicious packages with names mimicking trusted projects like Buffer, Chai, React, and Webpack. The packages act as multi-stage droppers that deploy Node.js backdoors, collect system credentials, and establish persistent C2 access. This represents a shift in Lazarus tactics toward developer infrastructure and supply chain compromise.","Lazarus Group deploys malicious npm packages via brandjacking to target developers and steal credentials.","Security Cyber Attacks MalwareLazarus Group Uses npm Brandjacking Campaign to Target Developers North Korean Lazarus Group targets npm developers with brandjacking packages that mimic trusted tools, drop malware and put credentials at risk. byWaqasJune 4, 20263 minute read A new npm campaign linked to North Korea’s Lazarus Group shows how attackers are using familiar-looking package names to gain access to developers’ systems and software build environments. Sonatype Security Research said it is tracking dozens of malicious npm packages connected to the campaign, including some that reached up to 500 weekly downloads. The packages were designed to look related to trusted JavaScript projects and tools, increasing the chance that developers would install them during normal work. More Than npm Typosquatting Usually, hackers exploit techniques like typosquatting in such attacks; however, in this case, Sonatype found packages using brandjacking methods such as suffix additions, embedded project names, and version mimicry. Some of the examples spotted by researchers included names built around well known projects such as Buffer, Chai, React, Express, JWT, and Webpack. That naming strategy is more likely to work in favor of attackers because npm is full of small helper libraries, wrappers, and plugins. A package called buffer-utilities, for example, can appear to be a reasonable companion to the widely used buffer package, even if it has no legitimate connection to the project. Sonatype’s analysis of buffer-utilities found that the package included copied code from the real buffer library, but also worked as a malicious dropper. Once installed, it decoded Base64 encoded URLs, fetched remote content from www.jsonkeeper.com , and executed the retrieved code using eval(). Researchers said that the pattern appeared in other packages linked to the same Lazarus activity. The use of www.jsonkeeper.com is also notable because Sonatype has previously observed Lazarus using the service to host payloads. After the first stage runs, the malware can install a Node.js backdoor and downloader. That payload collects basic system details, including the hostname, username, operating system, home directory, and process arguments. It then contacts the command and control infrastructure to receive further instructions. The malware can also create a hidden .vscode directory in the user’s home folder, download more files, and launch attacker controlled JavaScript as a detached background process. Sonatype said the package can fetch a third stage payload called f.js along with a package.json file, then run npm install --silent before starting the payload. That behavior gives the attacker a way to maintain access and refresh malicious files over time. Sonatype also reported an update mechanism that lets the payload reconnect to command and control servers, check for newer versions, and replace local files. Infograph explaining the campaign (Credit: Hackread.com) The campaign shows why npm remains attractive to advanced threat actors. Developers often install packages based on name familiarity, project fit, or convenience, especially in JavaScript environments where small dependencies are common. The Lazarus connection adds weight to the findings. While the group is often associated with financial theft and high profile cyber espionage operations, this activity shows the group’s interest in developer machines, credentials, build systems, and long term access to enterprise environments. Protect Your Devices Organizations that installed buffer-utilities version 1.0.0 or packages associated with Sonatype identifier sonatype-2026-003558 should remove them and review affected systems for signs of further compromise. Sonatype warned that removal alone may not be enough if later payloads have already run. Administrators should also check for network connections to www.jsonkeeper.com, command and control traffic to 45.59.163.198:1244, unexpected .vscode folders in user home directories, unusual Node.js processes, and any unexplained credential access from developer workstations or build systems. Waqas I am a UK-based cybersecurity journalist with a passion for covering the latest happenings in cybersecurity and tech world. I am also into gaming, reading and investigative journalism. View Posts BrandjackingCyber AttackCyber CrimeCybersecurityLazarusMalware Leave a Reply Cancel reply View Comments (0) Related Posts Read More News Cyber Attacks Cyber Crime Cyber Events US, India and China Most Targeted in DDoS Attacks, StormWall Q1 2023 Report DDoS attacks have surged by 47% in Q1 2023, according to a StormWall report. byWaqas Malware Security Fake Google Chrome Android App Infecting Users with Malicious Payload Google Chrome is the go-to browser for almost all the Android users. There is, however, one thing that… byJahanzaib Hassan Cyber Attacks Security Google, PlayStation & NRA suffered DDoS attacks via Memcached servers By now the vulnerability in Memcached Servers has been exposed to the masses since its proof of concept (PoC)… byWaqas Security Malware Microsoft OLE flaw lets malware infected PowerPoint files evade antivirus detection Microsoft PowerPoint is the latest platform used by cyber criminals for delivering malware. Reportedly, there is a vulnerability… byUzair Amir","https:\u002F\u002Fhackread.com\u002Flazarus-group-npm-brandjacking-target-developers\u002F","https:\u002F\u002Fhackread.com\u002Fwp-content\u002Fuploads\u002F2026\u002F06\u002Flazarus-group-npm-brandjacking-target-developers.jpg","2026-06-04T12:35:11+00:00","2026-06-04T14:00:20.64201+00:00",9,[18,21,24,27,30],{"name":19,"type":20},"Lazarus Group","threat_actor",{"name":22,"type":23},"Sonatype","vendor",{"name":25,"type":26},"npm","technology",{"name":28,"type":29},"Node.js","product",{"name":31,"type":32},"npm Brandjacking Campaign (Lazarus)","campaign","89f78b1c-3503-45a1-9fc7-e23d2ce1c6d5",{"id":33,"icon":35,"name":36,"slug":37},null,"Malware","malware",[39,44,49,54],{"category":40},{"id":41,"icon":35,"name":42,"slug":43},"26b0b636-0e31-4db1-bffb-61bdf9f20a58","Supply Chain","supply-chain",{"category":45},{"id":46,"icon":35,"name":47,"slug":48},"6cbdd207-aaa1-4176-9534-e156b125e917","Nation-state","nation-state",{"category":50},{"id":51,"icon":35,"name":52,"slug":53},"ade75414-7914-4e23-a450-48b64546ee70","Open Source","open-source",{"category":55},{"id":56,"icon":35,"name":57,"slug":58},"e7b231c8-5f79-4465-8d38-1ef13aea5a14","Threat Intelligence","threat-intelligence",[60,64,68,71],{"type":61,"value":62,"context":63},"domain","www.jsonkeeper.com","Payload hosting and C2 infrastructure used by Lazarus to deliver malicious content",{"type":65,"value":66,"context":67},"ip","45.59.163.198","Command and control server associated with Lazarus npm campaign",{"type":37,"value":69,"context":70},"buffer-utilities","Brandjacked npm package (v1.0.0) that mimics legitimate Buffer library; acts as malicious dropper",{"type":37,"value":72,"context":73},"f.js","Third-stage payload delivered by compromised npm packages; executes attacker-controlled JavaScript"]