FILTERING BY: CLEAR FILTER

Lazarus Group's Brandjacking Campaign targeting the npm Ecosystem

The Lazarus Group has shifted from traditional typosquatting to "brandjacking" within the npm ecosystem, deploying multi-stage droppers disguised as utilities for popular libraries like React, Buffer, and Chai. These malicious packages execute Base64-encoded strings to fetch a second-stage Node.js backdoor from jsonkeeper.com, which subsequently connects to a C2 server (45.59.163.198:1244) to deploy a final payload (f.js) into the ~/.vscode directory. By utilizing npm install --silent for dependency resolution, the attackers establish persistent remote code execution (RCE) on developer workstations, posing a critical risk to CI/CD pipelines and source code repositories.


LINK COPIED TO CLIPBOARD