In a sophisticated supply chain attack, cybercriminals have compromised several widely-used npm packages, including `eslint-config-prettier` and `eslint-plugin-prettier`. The attackers successfully stole maintainer authentication tokens through a targeted phishing campaign, enabling them to publish malicious versions of these packages directly to the npm repository.
Phishing Tactics and Credential Theft
The attackers employed a typosquatting technique by creating a deceptive domain, `npnjs.com`, which closely resembles the legitimate `npmjs.org` site. They sent convincing phishing emails to package maintainers, directing them to this fraudulent site to harvest their credentials. Once the maintainers entered their login information, the attackers gained unauthorized access to their npm accounts.
Silent Infiltration into npm Packages
With the stolen credentials, the threat actors published malicious versions of popular npm packages without making any corresponding changes to the associated GitHub repositories. This method allowed the malicious code to infiltrate the npm ecosystem undetected, as traditional monitoring tools often rely on GitHub activity to flag suspicious changes.
Affected Packages and Malicious Payload
The compromised packages and their malicious versions include:
– `eslint-config-prettier` versions 8.10.1, 9.1.1, 10.1.6, and 10.1.7
– `eslint-plugin-prettier` versions 4.2.2 and 4.2.3
– `synckit` version 0.11.9
– `@pkgr/core` version 0.2.8
– `napi-postinstall` version 0.3.1
The malicious code specifically targets Windows systems by attempting to load and execute a DLL file named `node-gyp.dll` using the Windows `rundll32` utility. This payload potentially grants attackers complete system access and the ability to execute arbitrary code on compromised machines.
Infection Mechanism and Persistence
The attack’s sophistication lies in its exploitation of npm’s metadata accessibility, where registration emails and maintainer information are easily scraped by threat actors to build comprehensive target lists. The malicious payload employs Windows-specific execution techniques, utilizing code patterns that enable the malware to achieve persistence and remote code execution capabilities while remaining dormant on non-Windows systems. This demonstrates the attackers’ understanding of cross-platform development environments and their ability to craft targeted payloads that maximize impact while minimizing detection across diverse development ecosystems.
Broader Context of npm Supply Chain Attacks
This incident is part of a growing trend of supply chain attacks targeting the npm ecosystem. In recent months, multiple campaigns have been identified where threat actors have published malicious packages to npm, aiming to compromise developers and organizations. For instance, in May 2025, researchers discovered 60 malicious packages on npm that collected sensitive host and network data, exfiltrating it to attacker-controlled servers. These packages were uploaded using typosquatting techniques, mimicking legitimate packages to deceive developers.
Another notable case involved the compromise of the `rand-user-agent` package, which had approximately 45,000 weekly downloads. The attackers injected obfuscated code that activated a remote access trojan (RAT) on the user’s system, highlighting the potential scale and impact of such supply chain attacks.
Recommendations for Developers and Organizations
To mitigate the risks associated with such supply chain attacks, developers and organizations should adopt the following practices:
1. Verify Package Authenticity: Before incorporating new packages or updating existing ones, verify their authenticity by checking the official repository and associated GitHub activity.
2. Monitor for Suspicious Activity: Implement monitoring tools that can detect unusual package behaviors, such as unexpected updates or the presence of obfuscated code.
3. Educate on Phishing Risks: Provide training to developers and maintainers on recognizing and avoiding phishing attempts, emphasizing the importance of verifying URLs and not sharing credentials.
4. Implement Multi-Factor Authentication (MFA): Enable MFA for all accounts associated with package maintenance to add an extra layer of security against unauthorized access.
5. Regularly Audit Dependencies: Conduct regular audits of project dependencies to identify and address potential vulnerabilities introduced by third-party packages.
Conclusion
The recent hijacking of popular npm packages underscores the critical need for vigilance in the software development community. Supply chain attacks exploit the trust developers place in widely-used packages, making it imperative to implement robust security measures and maintain awareness of emerging threats. By adopting proactive strategies and fostering a culture of security, developers and organizations can better protect their projects and users from such sophisticated attacks.
