Lazarus Group's Latest: Brandjacking Campaign on npm
Contents
Lazarus Group's Latest: Brandjacking Campaign on npm
By Sonatype Security Research Team
7 minute read time
TL;DR
-
Sonatype Security Research is tracking a Lazarus Group npm campaign using dozens of malicious packages to abuse developer trust and deliver follow-on payloads.
-
The campaign goes beyond typosquatting, relying on brandjacking tactics like suffix addition, embedding, and version mimicry to make packages look ecosystem-adjacent.
-
Analysis of buffer-utilities shows a malicious dropper that fetches and executes remote payloads, setting the stage for ongoing attacker-controlled intrusions.
-
Organizations that installed affected packages should remove them, investigate for second-stage activity, and treat impacted systems as potentially compromised.
Sonatype is tracking a Lazarus Group campaign on npm, consisting of dozens of packages, some with up to 500 weekly downloads, aiming to abuse trust in open source to deploy malware. Leveraging tactics like suffix-addition, embedding, version mimicry, and more, brandjacking packages like this are designed to look like something that would belong in a developer environment.
These aren't …
By Sonatype Security Research Team
7 minute read time
TL;DR
-
Sonatype Security Research is tracking a Lazarus Group npm campaign using dozens of malicious packages to abuse developer trust and deliver follow-on payloads.
-
The campaign goes beyond typosquatting, relying on brandjacking tactics like suffix addition, embedding, and version mimicry to make packages look ecosystem-adjacent.
-
Analysis of buffer-utilities shows a malicious dropper that fetches and executes remote payloads, setting the stage for ongoing attacker-controlled intrusions.
-
Organizations that installed affected packages should remove them, investigate for second-stage activity, and treat impacted systems as potentially compromised.
Sonatype is tracking a Lazarus Group campaign on npm, consisting of dozens of packages, some with up to 500 weekly downloads, aiming to abuse trust in open source to deploy malware. Leveraging tactics like suffix-addition, embedding, version mimicry, and more, brandjacking packages like this are designed to look like something that would belong in a developer environment.
These aren't …
IoC
45.59.163.198