buffer-utilities: Lazarus Group npm Brandjacking Dropper
ConfirmedDiscovered Jun 18, 2026
Sonatype and JFrog describe buffer-utilities as a malicious npm brandjacking package in a Lazarus Group campaign; the package acts as a dropper that fetches and launches remote payloads.
3
Affected Packages
13
Observables
3
Sources
Timeline
| Date | Event | Description | Source |
|---|---|---|---|
| Jun 18, 2026 | Fresh source review | Reviewed direct and primary sources for the last-two-weeks supply-chain refresh; this preview intentionally excludes older Halting Problems article data. | Primary research |
Affected Software
| Package | Ecosystem | Version Range | Status | Confidence | Source |
|---|---|---|---|---|---|
| buffer-utilities | npm | 1.0.0 | Malicious | 90% | Primary research |
| buffer-utilities | npm | 1.1.0 | Malicious | 90% | Primary research |
| buffer-utilities | npm | 1.1.1 | Malicious | 90% | Primary research |
IOC Clipboard
13 IOCsdomain
registry.npmjs.orgurl
https://registry.npmjs.org/buffer-utilitiesurl
https://registry.npmjs.org/buffer-utilities/-/buffer-utilities-1.0.0.tgzurl
https://registry.npmjs.org/buffer-utilities/-/buffer-utilities-1.1.0.tgzurl
https://registry.npmjs.org/buffer-utilities/-/buffer-utilities-1.1.1.tgzurl
https://registry.npmjs.org/buffer-utilities/-/buffer-utilities-0.0.1-security.tgzfile_path
setup.cjsfile_path
.vscodefile_path
.pkg_historyfile_path
.pkg_logscommand
postinstallcommand
node setup.cjs --no-warningscommand
spawn(process.execPath, ..., detached: true)Provenance & Sources
| Source | Type | Reliability | Claims | Evidence |
|---|---|---|---|---|
| Primary research | primary research | 95% | 1 | https://www.sonatype.com/blog/lazarus-groups-latest-brandjacking-campaign-on-npm |
| Primary research | primary research | 95% | 1 | https://research.jfrog.com/post/easy-day-js/ |
| Primary research | primary research | 95% | 1 | https://registry.npmjs.org/buffer-utilities |