Phishing Attack Compromises npm Packages
A New Wave of Supply Chain Attacks Hits npm
A highly targeted phishing attack has rocked the JavaScript ecosystem, resulting in malware-laden releases of several popular npm packages. The attackers, leveraging sophisticated social engineering, managed to steal a key maintainer’s credentials, enabling them to publish malicious package versions directly to the npm registry—bypassing all usual source code oversight[1][2][3].
“This incident shows how quickly phishing attacks on maintainers can escalate into ecosystem-wide threats.” — Socket
What Happened: The Attack Unpacked
- Phishing Email Sent: Maintainers received emails impersonating npm, directing them to a convincing fake domain (“npnjs[.]com” instead of “npmjs[.]com”).
- Credential Theft: Unsuspecting victims entered their npm tokens on this replica page, handing attackers the keys to their packages.
- Malicious Packages Published: With the stolen tokens, attackers released rogue versions of widely used libraries, with no record on GitHub, making changes hard to detect[1][2][3].
Packages Impacted
| Package Name | Malicious Versions |
|---|---|
| eslint-config-prettier | 8.10.1, 9.1.1, 10.1.6, 10.1.7 |
| eslint-plugin-prettier | 4.2.2, 4.2.3 |
| synckit | 0.11.9 |
| @pkgr/core | 0.2.8 |
| napi-postinstall | 0.3.1 |
These packages collectively account for tens of millions of weekly downloads[2][3].
packages hijacked through phishing. Credit: BleepingComputer*
Technical Details: What Did the Malware Do?
- Payload Behavior: Injected code attempted to execute a DLL via
rundll32on Windows, enabling potential remote code execution if triggered on a developer’s machine[2][4]. - Attack Stealth: Since the npm registry itself was used for malicious updates, no suspicious commits or pull requests appeared on GitHub—obscuring the attack’s origin[4].
“The attackers used the stolen credentials to publish malicious versions of multiple packages without touching the GitHub repos, making the attack harder to spot.”[2]
A Bigger Pattern: The Rise of Software Supply Chain Threats
This is not an isolated event. Dozens of npm packages have been compromised in 2025 using similar social engineering and hijacking tactics, often with malware capable of:
- Executing shell commands and uploading files
- Harvesting system data and environment details
- Creating persistent backdoors for remote access[5][6][7]
Some attacks were linked to state-sponsored actors and protestware, while others aimed to steal credentials or disrupt operations on specific websites—particularly targeting users with Russian or Belarusian settings[8][3].
—librewolf-fix-bin, firefox-patch-bin, and zen-browser-patched-bin—were discovered distributing the open-source Chaos RAT malware. This trojan enables adversaries to gain full control over Linux (and Windows) systems, with features like file upload/download, command execution, and persistent communication with command-and-control servers[9][10][11][12].
Community vigilance and swift removal by the Arch Linux team capped the spread, but users are urged to inspect their systems for suspicious executables like systemd-initd[9][10].
What Should Developers and Users Do?
If you use npm or AUR packages:
- Immediately audit your installed package versions for the entries listed above and roll back if impacted.
- Enable Two-Factor Authentication on your npm account.
- Utilize scoped tokens, not passwords, for publishing[13].
- Carefully review all package update notifications and verify the legitimacy of websites before entering credentials.
If you maintain open source packages:
- Educate your contributors about phishing tactics, typosquatting domains, and suspicious npm emails.
- Periodically rotate your tokens and monitor for unauthorized releases or version changes.
“Given the magnitude of the attack, we wanted to raise awareness about it as quickly as possible, so that people can protect themselves.” — Aikido Security[5]
The Broader Picture: Supply Chain Security is Everyone’s Responsibility
Incidents like this underscore the reality that attacks on developer infrastructure can ripple outwards with ecosystem-wide consequences. As open source remains foundational to the world’s software, heightened vigilance—from both users and maintainers—is the only way to blunt the impact of such sophisticated supply chain threats[14][2].
