{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/node.js-runtime/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":["Lazarus Group","HIDDEN COBRA","LABYRINTH CHOLLIMA","Diamond Sleet","Zinc"],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["npm package manager","Node.js runtime"],"_cs_severities":["high"],"_cs_tags":["supply-chain-attack","npm","brandjacking","Lazarus-Group","nodejs","malware"],"_cs_type":"threat","_cs_vendors":[],"content_html":"\u003cp\u003eThe Lazarus Group, a state-sponsored threat actor, has launched a sophisticated brandjacking campaign targeting the npm ecosystem, leveraging deceptive package names to abuse developer trust. Active since at least early 2026, this campaign involves dozens of malicious packages, with some seeing up to 500 weekly downloads, designed to appear legitimate or ecosystem-adjacent. These packages, exemplified by \u0026quot;buffer-utilities,\u0026quot; go beyond simple typosquatting by employing suffix addition, version mimicry, and embedding legitimate code to evade scrutiny. Upon installation, the packages act as droppers, fetching and executing a multi-stage Node.js backdoor from remote infrastructure like \u003ccode\u003ewww.jsonkeeper.com\u003c/code\u003e. This backdoor enables extensive reconnaissance, C2 communication, and the deployment of persistent attacker-controlled code, posing a significant supply chain risk to organizations whose developers use npm.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Access\u003c/strong\u003e: A developer installs a malicious npm package (e.g., \u003ccode\u003ebuffer-utilities\u003c/code\u003e), mistaking it for a legitimate or related package due to brandjacking techniques like suffix addition, version mimicry, or embedding legitimate code.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eDropper Execution\u003c/strong\u003e: Upon installation or execution, the malicious package's embedded JavaScript code runs, decoding Base64-encoded URLs pointing to external payload servers.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePayload Fetching\u003c/strong\u003e: The malicious code initiates an outbound network connection, typically from a Node.js process, to download additional payloads from command-and-control infrastructure (e.g., \u003ccode\u003ewww.jsonkeeper.com\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eSecond-Stage Backdoor Deployment\u003c/strong\u003e: The downloaded Node.js backdoor executes, performing host reconnaissance by collecting system information such as hostname, username, operating system, home directory, and active process arguments.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eCommand and Control (C2) Communication\u003c/strong\u003e: The Node.js backdoor establishes persistent communication with its C2 server to retrieve configuration data and report collected telemetry back to the attackers.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePersistence \u0026amp; Third-Stage Payload\u003c/strong\u003e: Following C2 instructions, the backdoor creates a hidden \u003ccode\u003e.vscode\u003c/code\u003e directory in the user's home folder, downloads further files (including \u003ccode\u003ef.js\u003c/code\u003e and a malicious \u003ccode\u003epackage.json\u003c/code\u003e), and executes \u003ccode\u003enpm install --silent\u003c/code\u003e to fetch dependencies before launching \u003ccode\u003ef.js\u003c/code\u003e as a detached background process.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eOngoing Control \u0026amp; Updates\u003c/strong\u003e: The deployed payload includes an update mechanism, allowing it to periodically reconnect to the C2 server, check for newer payload versions, and replace local files, ensuring continuous attacker access and control over the infected system.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThis campaign represents a critical supply chain threat, particularly for organizations relying on the npm ecosystem for software development. Successful compromise means developers' systems are backdoored, potentially leading to intellectual property theft, credential compromise, further network intrusion, and disruption of development pipelines. The Node.js backdoor functions as a persistent staging framework, allowing the Lazarus Group to deploy additional malicious code and maintain long-term control. While specific victim counts are not disclosed, the wide reach of npm and the reported download numbers (up to 500 weekly for some packages) suggest a broad potential impact across various sectors.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026quot;Detect Node.js Process Connecting to \u003ccode\u003ewww.jsonkeeper.com\u003c/code\u003e\u0026quot; to your SIEM to identify direct C2 communication.\u003c/li\u003e\n\u003cli\u003eImplement the Sigma rule \u0026quot;Detect \u003ccode\u003enpm install --silent\u003c/code\u003e Execution\u0026quot; to flag automated and potentially malicious package installations.\u003c/li\u003e\n\u003cli\u003eBlock network connections to \u003ccode\u003ewww.jsonkeeper.com\u003c/code\u003e at the perimeter firewall or DNS resolver, as listed in the IOCs section.\u003c/li\u003e\n\u003cli\u003eOrganizations that installed packages associated with Sonatype-2026-003558 (e.g., \u003ccode\u003ebuffer-utilities\u003c/code\u003e version \u003ccode\u003e1.0.0\u003c/code\u003e) should remove them and treat affected hosts as potentially compromised.\u003c/li\u003e\n\u003cli\u003eInvestigate compromised systems for evidence of second-stage payload execution, hidden \u003ccode\u003e.vscode\u003c/code\u003e directories containing suspicious files like \u003ccode\u003ef.js\u003c/code\u003e or \u003ccode\u003epackage.json\u003c/code\u003e, and any unusual process activity.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-06-14T09:03:40Z","date_published":"2026-06-14T09:03:40Z","id":"https://feed.craftedsignal.io/briefs/2026-06-lazarus-npm-brandjacking/","summary":"The Lazarus Group is conducting a brandjacking campaign on npm, using dozens of malicious packages like 'buffer-utilities' to deploy a Node.js backdoor that collects host information, establishes C2 communication, and maintains persistent attacker-controlled code execution, primarily targeting developers.","title":"Lazarus Group's Brandjacking Campaign on npm Delivers Persistent Node.js Backdoor","url":"https://feed.craftedsignal.io/briefs/2026-06-lazarus-npm-brandjacking/"}],"language":"en","title":"CraftedSignal Threat Feed - Node.js Runtime","version":"https://jsonfeed.org/version/1.1"}