A reported Lazarus-linked brandjacking campaign against npm developers shows how package identity, install-time behavior, and secret-rich workstations can turn routine dependency work into a security event.
A bogus “tanstack” npm package silently stole sensitive credentials from unsuspecting developers, exposing the dangers of brandjacking in open-source supply chains.