← Back to Daily Briefing

The Lazarus Group has shifted from traditional typosquatting to "brandjacking" within the npm ecosystem, deploying multi-stage droppers disguised as utilities for popular libraries like React, Buffer, and Chai. These malicious packages execute Base64-encoded strings to fetch a second-stage Node.js backdoor from jsonkeeper.com, which subsequently connects to a C2 server (45.59.163.198:1244) to deploy a final payload (f.js) into the ~/.vscode directory. By utilizing npm install --silent for dependency resolution, the attackers establish persistent remote code execution (RCE) on developer workstations, posing a critical risk to CI/CD pipelines and source code repositories.

  • Incident Overview: Brandjacking Evolution

    • Transition from simple misspellings to "brandjacking," where packages mimic legitimate utilities or version updates for established libraries.
    • Attackers integrate functional, legitimate code into malicious packages to evade immediate detection by developers and basic security scanners.
    • Specifically targets the Node.js ecosystem to gain a foothold in high-privilege developer environments.
  • Attack Vector & Execution Mechanics

    • Initial Stage: Installation of brandjacked packages that utilize atob() and eval() to decode and execute Base64-encoded URLs.
    • Secondary Stage: The dropper fetches a Node.js backdoor hosted on www.jsonkeeper.com to collect system telemetry.
    • Final Stage: The backdoor establishes C2 communication with 45.59.163.198:1244 to download the f.js payload into a hidden ~/.vscode directory.
    • Persistence: The malware executes npm install --silent to resolve dependencies and runs as a detached background process for persistent RCE.
  • Threat Actor Profile & Impact Scale

    • Attributed to the Lazarus Group, demonstrating a sophisticated approach to software supply chain infiltration.
    • Scale of impact includes dozens of malicious packages, with some achieving up to 500 weekly downloads.
    • Primary risk involves the compromise of developer machines, which often hold secrets, SSH keys, and access to production build systems.
  • Indicators of Compromise (IoCs)

    • Network Indicators: C2 server 45.59.163.198:1244 and payload hosting via www.jsonkeeper.com.
    • Host Indicators: Unexpected presence of f.js and package.json within the ~/.vscode folder.
    • Malicious Packages: buffer-utilities, buffer-util-extend, express-denv, jwt-path, webpack-patch, chai-as-patch, chai-beta, react-next-dom, midcore, midcorp, and node-background-invoker-v2.
  • Defensive Actions & Mitigation

    • Implement strict dependency pinning and audit package-lock.json files for unauthorized utility packages.
    • Deploy Software Composition Analysis (SCA) tools to detect packages with suspicious behavior or low reputation scores.
    • Monitor developer workstations for unusual outbound network traffic and unauthorized file modifications in hidden configuration directories.

Related posts

  1. Unit 42 Threat Intelligence — The npm Threat Landscape: Attack Surface and Mitigations (Updated May 1)
  2. Wiu
  3. Arcticwolf
  4. Cybersecurityventures
  5. Crowdstrike
  6. computerweekly.com — Glassworm botnet that targeted OS devs smashed to pieces
  7. Chainguard
  8. ox.security — New Shai-Hulud hits npm: @redhat-cloud-services Compromised
  9. ox.security — Six Stages Deep and an Endless Loop: Shai-Hulud Is Getting Sophisticated
  10. cybelangel.com — Miasma Supply Chain Attack: the Seven-Week Credential Trail
  11. microsoft.com — Preinstall to persistence: Inside the Red Hat npm Miasma credential-stealing campaign
  12. Malware News — Lazarus Group's Latest: Brandjacking Campaign on npm
  13. Sonatype
  14. Securityboulevard
  15. Itpro
  16. Duocircle
  17. phoenix.security — IronWorm (No CVE): Rust-Built npm Worm Ships an eBPF Rootkit, Tor C2, and a Self-Propagating Supply Chain Implant Across 37 Packages
  18. gbhackers.com — IronWorm npm Attack Steals Developer Secrets
  19. ox.security — 600,000 Monthly Downloads Affected: Miasma Supply Chain Attack Is Back on npm
  20. bleepingcomputer.com — New IronWorm malware hits 36 packages in npm supply-chain attack
  21. Ground
  22. Neuracybintel
  23. Technologymagazine
  24. Shadowserver
  25. Cyberinsider
  26. Rescana
  27. Upwind
  28. Youtube
  29. Ssocircle
  30. Techjacksolutions
  31. Cyberscoop
  32. Dark Reading — Rust-Written IronWorm Hits NPM Supply Chain
  33. Linuxsecurity
  34. Therecord
  35. Cybersecuritydive
  36. Reddit
  37. Access
  38. Zdnet
  39. Stepsecurity
  40. The Hacker News — IronWorm and New Miasma Worm Variant Hit npm in Supply Chain Attacks
  41. cybersecurity.pk — IronWorm and New Miasma Worm Variant Hit npm in Supply Chain Attacks
  42. Ox
  43. Reddit
  44. Research
  45. Secure
  46. Safedep
  47. Socprime
  48. Stepsecurity
  49. Labs
  50. Reddit
  51. Stepsecurity
  52. Aikido
  53. Upwind
  54. Snyk
  55. Podcasts
  56. Harness
  57. Softwareking24
  58. Techjacksolutions
  59. Hoploninfosec
  60. Dmarcreport
  61. Reddit
  62. Reddit
  63. Phoenix
  64. bleepingcomputer.com — New Shai-Hulud attack trojanizes 19 science-focused PyPI packages
  65. Kudelskisecurity
  66. Ox
  67. Stepsecurity
  68. gbhackers.com — Shai-Hulud Malware Campaign Abuses 23 PyPI Packages in Developer-Focused Attack
  69. techjacksolutions.com — Mini Shai-Hulud Supply Chain Campaign Breaches OpenAI Developer Devices via TanStack and npm/PyPI Compromise
  70. SC Media — Suspected North Korean actors use fake ‘coding assignments’ to steal crypto
  71. Iplogger
  72. Infosecurity-magazine
  73. Thehackernews
  74. Bitdefender
  75. Csoonline
  76. Foreigninterference
  77. Cyberproof
  78. Sonatype
  79. Cybersecurity News — North Korea-Aligned Hackers Abuse GitHub Repositories to Infect Developers
  80. Socprime
  81. techjacksolutions.com — Hades Campaign Escalates PyPI Supply Chain Attack with AI Evasion, Cross-Platform Memory Scraping, and Wiper Capability
  82. Windowsforum
  83. OpenSSF (Open Source Security Foundation) — Mini Shai-Hulud: Where SLSA’s Boundaries Fall
  84. Safedep
  85. Threatlocker
  86. techjacksolutions.com — Miasma Supply Chain Worm Toolkit Leak Fuels Hades Campaign Against Open-Source Registries and CI/CD Pipelines
  87. Phoenix
  88. Pcrisk
  89. Appsecphoenix
  90. Safedep
  91. Reddit
  92. Mallory
  93. SecurityWeek — GlassWorm Botnet Disrupted
  94. csoonline.com — Meet Hades: The malware that lies to AI security agents
  95. gbhackers.com — North Korea Hackers Weaponize GitHub to Target Developers

LINK COPIED TO CLIPBOARD