Lazarus Group Uses npm Brandjacking Campaign to Target Developers

Sonatype researchers identified a Lazarus-linked npm supply-chain campaign using brandjacked package names (e.g., buffer-utilities) to drop and execute malicious JavaScript that fetches further payloads from www.jsonkeeper.com, installs a Node.js backdoor/downloader, creates hidden .vscode folders, and contacts C2 infrastructure (notably 45.59.163.198:1244); organizations are advised to remove affected packages (e.g., buffer-utilities v1.0.0 / sonatype-2026-003558), scan developer systems and build environments for the listed IOCs, and investigate for persistent or secondary payloads.