Sunday, July 5, 2026
M MELFLIX
news security

Phishing Attack Compromises npm Packages: 2025 Security Alert

By Melflix 6 Min Read

Major npm packages hijacked in 2025 via stolen maintainer tokens. Expert analysis of the supply chain attack affecting millions of developers.

Phishing Attack Compromises npm Packages: 2025 Security Alert

Key Takeaways

  • A sophisticated phishing campaign stole npm maintainer tokens, compromising 5 major packages.
  • The attack bypassed GitHub oversight by publishing directly to the npm registry.
  • Affected packages include eslint-config-prettier and synckit, with millions of weekly downloads.
  • Developers should enable 2FA and rotate tokens immediately to mitigate supply chain risks.

Which npm packages were compromised in the July 2025 phishing attack?

The July 2025 phishing attack compromised eslint-config-prettier, eslint-plugin-prettier, synckit, @pkgr/core, and napi-postinstall. Attackers stole maintainer tokens to publish malicious versions capable of remote code execution on Windows systems. Developers must audit their dependencies and enable 2FA on all npm accounts immediately.

The 2025 npm Supply Chain Crisis: Analysis & Trade-offs

The JavaScript ecosystem faced a critical supply chain threat in July 2025. This attack highlights the fundamental trade-off between developer convenience and infrastructure security.

Risk FactorImpact LevelMitigation Trade-off
Token TheftHigh (Direct Registry Access)Increased friction (Mandatory 2FA/Short-lived tokens)
Silent PublishingExtreme (Bypasses GitHub CI)Requires manual registry auditing
Payload ComplexityMedium (Rundll32 Execution)Performance hit from deep security scanning

Pros of Modern npm Security

  • Rapid Identification: Ecosystem-wide alerts (like Socket.dev) identify threats within hours.
  • Granular Permissions: Scoped tokens limit the blast radius of a single compromised key.

Cons to Consider

  • Maintainer Fatigue: Complex security requirements can slow down open-source contributions.

A New Wave of Supply Chain Attacks Hits npm

A highly targeted phishing attack has rocked the JavaScript ecosystem, resulting in malware-laden releases of several popular npm packages. The attackers, leveraging sophisticated social engineering, managed to steal a key maintainer’s credentials, enabling them to publish malicious package versions directly to the npm registry—bypassing all usual source code oversight[1][2][3].

“This incident shows how quickly phishing attacks on maintainers can escalate into ecosystem-wide threats.” — Socket

Phishing campaigns often use fake login pages that closely mimic real interfaces—here, a convincing npm clone used for credential theft. landing page used to steal npm credentials. Credit: Socket.dev*

What Happened: The Attack Unpacked

  1. Phishing Email Sent: Maintainers received emails impersonating npm, directing them to a convincing fake domain (“npnjs[.]com” instead of “npmjs[.]com”).
  2. Credential Theft: Unsuspecting victims entered their npm tokens on this replica page, handing attackers the keys to their packages.
  3. Malicious Packages Published: With the stolen tokens, attackers released rogue versions of widely used libraries, with no record on GitHub, making changes hard to detect[1][2][3].

Packages Impacted

Package NameMalicious Versions
eslint-config-prettier8.10.1, 9.1.1, 10.1.6, 10.1.7
eslint-plugin-prettier4.2.2, 4.2.3
synckit0.11.9
@pkgr/core0.2.8
napi-postinstall0.3.1

These packages collectively account for tens of millions of weekly downloads[2][3].

npm packages affected by the July 2025 attack, impacting millions of developers globally. packages hijacked through phishing. Credit: BleepingComputer*

Technical Details: What Did the Malware Do?

  • Payload Behavior: Injected code attempted to execute a DLL via rundll32 on Windows, enabling potential remote code execution if triggered on a developer’s machine[2][4].
  • Attack Stealth: Since the npm registry itself was used for malicious updates, no suspicious commits or pull requests appeared on GitHub—obscuring the attack’s origin[4].

“The attackers used the stolen credentials to publish malicious versions of multiple packages without touching the GitHub repos, making the attack harder to spot.”[2]

A Bigger Pattern: The Rise of Software Supply Chain Threats

This is not an isolated event. Dozens of npm packages have been compromised in 2025 using similar social engineering and hijacking tactics, often with malware capable of:

  • Executing shell commands and uploading files
  • Harvesting system data and environment details
  • Creating persistent backdoors for remote access[5][6][7]

Some attacks were linked to state-sponsored actors and protestware, while others aimed to steal credentials or disrupt operations on specific websites—particularly targeting users with Russian or Belarusian settings[8][3].

![Example of remote access trojan (RAT) infection vectors, including npm packages and Linux AUR.](https://www.bleepstatic.com/content/posts/2025/07/19/arch-chaos of software supply chain hijack routes. Credit: BleepingComputer*

In tandem, a separate but similarly dangerous incident struck Arch Linux users. Three packages in the Arch User Repository (AUR)—librewolf-fix-bin, firefox-patch-bin, and zen-browser-patched-bin—were discovered distributing the open-source Chaos RAT malware. This trojan enables adversaries to gain full control over Linux (and Windows) systems, with features like file upload/download, command execution, and persistent communication with command-and-control servers[9][10][11][12].

Community vigilance and swift removal by the Arch Linux team capped the spread, but users are urged to inspect their systems for suspicious executables like systemd-initd[9][10].

What Should Developers and Users Do?

If you use npm or AUR packages:

  • Immediately audit your installed package versions for the entries listed above and roll back if impacted.
  • Enable Two-Factor Authentication on your npm account.
  • Utilize scoped tokens, not passwords, for publishing[13].
  • Carefully review all package update notifications and verify the legitimacy of websites before entering credentials.

If you maintain open source packages:

  • Educate your contributors about phishing tactics, typosquatting domains, and suspicious npm emails.
  • Periodically rotate your tokens and monitor for unauthorized releases or version changes.

“Given the magnitude of the attack, we wanted to raise awareness about it as quickly as possible, so that people can protect themselves.” — Aikido Security[5]

The Broader Picture: Supply Chain Security is Everyone’s Responsibility

Incidents like this underscore the reality that attacks on developer infrastructure can ripple outwards with ecosystem-wide consequences. As open source remains foundational to the world’s software, heightened vigilance—from both users and maintainers—is the only way to blunt the impact of such sophisticated supply chain threats[14][2].


Frequently Asked Questions

Which npm packages were compromised in the July 2025 attack?

The compromised packages include eslint-config-prettier (8.10.1, 9.1.1, 10.1.6, 10.1.7), eslint-plugin-prettier (4.2.2, 4.2.3), synckit (0.11.9), @pkgr/core (0.2.8), and napi-postinstall (0.3.1). Collectively, these packages have tens of millions of weekly downloads.

How can I check if my project is affected?

Run npm ls in your project and cross-reference the installed versions against the malicious versions listed above. If any match, downgrade to the last known safe version immediately.

What should npm maintainers do to prevent this?

Enable two-factor authentication, use scoped access tokens instead of passwords, periodically rotate credentials, and educate contributors about phishing tactics and typosquatting domains.


Author & Methodology

Author: Melflix Security News Editorial Board Last Updated: July 21, 2025 Methodology: This report is based on primary sources including Socket.dev’s incident analysis, BleepingComputer’s technical writeup, Aikido Security’s advisory, and direct verification of affected package versions on the npm registry.

Topics

npm phishing attack 2025supply chain malwareeslint-config-prettier maliciousJavaScript security alertChaos RAT