The Lazarus Group has shifted from traditional typosquatting to "brandjacking" within the npm ecosystem, deploying multi-stage droppers disguised as utilities for popular libraries like React, Buffer, and Chai. These malicious packages execute Base64-encoded strings to fetch a second-stage Node.js backdoor from jsonkeeper.com, which subsequently connects to a C2 server (45.59.163.198:1244) to deploy a final payload (f.js) into the ~/.vscode directory. By utilizing npm install --silent for dependency resolution, the attackers establish persistent remote code execution (RCE) on developer workstations, posing a critical risk to CI/CD pipelines and source code repositories.
-
Incident Overview: Brandjacking Evolution
- Transition from simple misspellings to "brandjacking," where packages mimic legitimate utilities or version updates for established libraries.
- Attackers integrate functional, legitimate code into malicious packages to evade immediate detection by developers and basic security scanners.
- Specifically targets the Node.js ecosystem to gain a foothold in high-privilege developer environments.
-
Attack Vector & Execution Mechanics
- Initial Stage: Installation of brandjacked packages that utilize
atob()andeval()to decode and execute Base64-encoded URLs. - Secondary Stage: The dropper fetches a Node.js backdoor hosted on
www.jsonkeeper.comto collect system telemetry. - Final Stage: The backdoor establishes C2 communication with
45.59.163.198:1244to download thef.jspayload into a hidden~/.vscodedirectory. - Persistence: The malware executes
npm install --silentto resolve dependencies and runs as a detached background process for persistent RCE.
- Initial Stage: Installation of brandjacked packages that utilize
-
Threat Actor Profile & Impact Scale
- Attributed to the Lazarus Group, demonstrating a sophisticated approach to software supply chain infiltration.
- Scale of impact includes dozens of malicious packages, with some achieving up to 500 weekly downloads.
- Primary risk involves the compromise of developer machines, which often hold secrets, SSH keys, and access to production build systems.
-
Indicators of Compromise (IoCs)
- Network Indicators: C2 server
45.59.163.198:1244and payload hosting viawww.jsonkeeper.com. - Host Indicators: Unexpected presence of
f.jsandpackage.jsonwithin the~/.vscodefolder. - Malicious Packages:
buffer-utilities,buffer-util-extend,express-denv,jwt-path,webpack-patch,chai-as-patch,chai-beta,react-next-dom,midcore,midcorp, andnode-background-invoker-v2.
- Network Indicators: C2 server
-
Defensive Actions & Mitigation
- Implement strict dependency pinning and audit
package-lock.jsonfiles for unauthorized utility packages. - Deploy Software Composition Analysis (SCA) tools to detect packages with suspicious behavior or low reputation scores.
- Monitor developer workstations for unusual outbound network traffic and unauthorized file modifications in hidden configuration directories.
- Implement strict dependency pinning and audit
Related posts
- Unit 42 Threat Intelligence — The npm Threat Landscape: Attack Surface and Mitigations (Updated May 1)
- Wiu
- Arcticwolf
- Cybersecurityventures
- Crowdstrike
- computerweekly.com — Glassworm botnet that targeted OS devs smashed to pieces
- Chainguard
- ox.security — New Shai-Hulud hits npm: @redhat-cloud-services Compromised
- ox.security — Six Stages Deep and an Endless Loop: Shai-Hulud Is Getting Sophisticated
- cybelangel.com — Miasma Supply Chain Attack: the Seven-Week Credential Trail
- microsoft.com — Preinstall to persistence: Inside the Red Hat npm Miasma credential-stealing campaign
- Malware News — Lazarus Group's Latest: Brandjacking Campaign on npm
- Sonatype
- Securityboulevard
- Itpro
- Duocircle
- phoenix.security — IronWorm (No CVE): Rust-Built npm Worm Ships an eBPF Rootkit, Tor C2, and a Self-Propagating Supply Chain Implant Across 37 Packages
- gbhackers.com — IronWorm npm Attack Steals Developer Secrets
- ox.security — 600,000 Monthly Downloads Affected: Miasma Supply Chain Attack Is Back on npm
- bleepingcomputer.com — New IronWorm malware hits 36 packages in npm supply-chain attack
- Ground
- Neuracybintel
- Technologymagazine
- Shadowserver
- Cyberinsider
- Rescana
- Upwind
- Youtube
- Ssocircle
- Techjacksolutions
- Cyberscoop
- Dark Reading — Rust-Written IronWorm Hits NPM Supply Chain
- Linuxsecurity
- Therecord
- Cybersecuritydive
- Access
- Zdnet
- Stepsecurity
- The Hacker News — IronWorm and New Miasma Worm Variant Hit npm in Supply Chain Attacks
- cybersecurity.pk — IronWorm and New Miasma Worm Variant Hit npm in Supply Chain Attacks
- Ox
- Research
- Secure
- Safedep
- Socprime
- Stepsecurity
- Labs
- Stepsecurity
- Aikido
- Upwind
- Snyk
- Podcasts
- Harness
- Softwareking24
- Techjacksolutions
- Hoploninfosec
- Dmarcreport
- Phoenix
- bleepingcomputer.com — New Shai-Hulud attack trojanizes 19 science-focused PyPI packages
- Kudelskisecurity
- Ox
- Stepsecurity
- gbhackers.com — Shai-Hulud Malware Campaign Abuses 23 PyPI Packages in Developer-Focused Attack
- techjacksolutions.com — Mini Shai-Hulud Supply Chain Campaign Breaches OpenAI Developer Devices via TanStack and npm/PyPI Compromise
- SC Media — Suspected North Korean actors use fake ‘coding assignments’ to steal crypto
- Iplogger
- Infosecurity-magazine
- Thehackernews
- Bitdefender
- Csoonline
- Foreigninterference
- Cyberproof
- Sonatype
- Cybersecurity News — North Korea-Aligned Hackers Abuse GitHub Repositories to Infect Developers
- Socprime
- techjacksolutions.com — Hades Campaign Escalates PyPI Supply Chain Attack with AI Evasion, Cross-Platform Memory Scraping, and Wiper Capability
- Windowsforum
- OpenSSF (Open Source Security Foundation) — Mini Shai-Hulud: Where SLSA’s Boundaries Fall
- Safedep
- Threatlocker
- techjacksolutions.com — Miasma Supply Chain Worm Toolkit Leak Fuels Hades Campaign Against Open-Source Registries and CI/CD Pipelines
- Phoenix
- Pcrisk
- Appsecphoenix
- Safedep
- Mallory
- SecurityWeek — GlassWorm Botnet Disrupted
- csoonline.com — Meet Hades: The malware that lies to AI security agents
- gbhackers.com — North Korea Hackers Weaponize GitHub to Target Developers