Unit 42 Threat Intelligence • 4w
Lazarus Group's Brandjacking Campaign targeting the npm Ecosystem
The Lazarus Group has shifted from traditional typosquatting to "brandjacking" within the npm ecosystem, deploying multi-stage droppers disguised as utilities for popular libraries like React, Buffer, and Chai. These malicious packages execute Base64-encoded strings to fetch a second-stage Node.js backdoor from jsonkeeper.com, which subsequently connects to a C2 server (45.59.163.198:1244) to deploy a final payload (f.js) into the ~/.vscode directory. By utilizing npm install --silent for dependency resolution, the attackers establish persistent remote code execution (RCE) on developer workstations, posing a critical risk to CI/CD pipelines and source code repositories.
Links:Unit 42 Threat Intelligence, Wiu, Arcticwolf, Cybersecurityventures, Crowdstrike, computerweekly.com, Chainguard, ox.security, cybelangel.com, microsoft.com, Malware News, Sonatype, Securityboulevard, Itpro, Duocircle, phoenix.security, gbhackers.com, bleepingcomputer.com, Ground, Neuracybintel, Technologymagazine, Shadowserver, Cyberinsider, Rescana, Upwind, Youtube, Ssocircle, Techjacksolutions, Cyberscoop, Dark Reading, Linuxsecurity, Therecord, Cybersecuritydive, Reddit, Access, Zdnet, Stepsecurity, The Hacker News, cybersecurity.pk, Ox, Research, Secure, Safedep, Socprime, Labs, Aikido, Snyk, Podcasts, Harness, Softwareking24, Hoploninfosec, Dmarcreport, Phoenix, Kudelskisecurity, techjacksolutions.com, SC Media, Iplogger, Infosecurity-magazine, Thehackernews, Bitdefender, Csoonline, Foreigninterference, Cyberproof, Cybersecurity News, Windowsforum, OpenSSF (Open Source Security Foundation), Threatlocker, Pcrisk, Appsecphoenix, Mallory, SecurityWeek, csoonline.com •