Malware Security Bloggers Network 
SBN

Lazarus Group’s Latest: Brandjacking Campaign on npm

by Sonatype Security Research Team on June 3, 2026
Image with text "Lazarus Group, Trust Abuse on npm" at center and a label of "breaking news" in the upper right-hand corner.

TL;DR

  • Sonatype Security Research is tracking a Lazarus Group npm campaign using dozens of malicious packages to abuse developer trust and deliver follow-on payloads.

  • The campaign goes beyond typosquatting, relying on brandjacking tactics like suffix addition, embedding, and version mimicry to make packages look ecosystem-adjacent.

  • Analysis of buffer-utilities shows a malicious dropper that fetches and executes remote payloads, setting the stage for ongoing attacker-controlled intrusions.

  • Organizations that installed affected packages should remove them, investigate for second-stage activity, and treat impacted systems as potentially compromised.

Sonatype is tracking a Lazarus Group campaign on npm, consisting of dozens of packages, some with up to 500 weekly downloads, aiming to abuse trust in open source to deploy malware. Leveraging tactics like suffix-addition, embedding, version mimicry, and more, brandjacking packages like this are designed to look like something that would belong in a developer environment.

These aren’t mere typosquats. In this campaign, attackers seek to dupe developers looking for Buffer, Chai, React, and more, to deploy secondary, more nefarious payloads. We took a closer look at the malicious buffer-utilities package to understand attacker intentions.

Affected systems should be treated as potentially compromised if the package was downloaded. Removing the package is strongly recommended, but removal alone may not be sufficient if the second-stage payload has already executed. Organizations that installed this package should investigate the host for follow-on malicious behavior and remediate as appropriate.

Brandjacking Is More Than Typosquatting

Typosquatting remains a real threat, but it is no longer enough to think only in terms of misspelled package names. In fact, Sonatype recently found that only 9% of brandjacking packages rely on misspellings alone.

Brandjacking is the use of package names and contents that appear connected to legitimate projects or ecosystems to disguise malicious packages on open source. Typosquatting (Read more...)

*** This is a Security Bloggers Network syndicated blog from 2024 Sonatype Blog authored by Sonatype Security Research Team. Read the original post at: https://www.sonatype.com/blog/lazarus-groups-latest-brandjacking-campaign-on-npm

Sonatype Security Research Team 0 Comments , , , , , ,