A new supply chain attack resulted in the delivery of malware via popular NPM packages after the maintainers’ accounts were compromised.
First reported on last week, the attacks start with a phishing email that relies on typosquatting to impersonate the Node.js package registry.
The attackers created a full copy of the NPM website at ‘npnjs.com’, and used it to send legitimate-looking emails to multiple developers, prompting them to provide their login credentials.
The emails contained tokenized URLs, which allow the attackers to track clicks, pre-fill victim data on the phishing site, or generate fake sessions to mimic NPM’s login process. The messages also contained support links to the legitimate npmjs.com site.
Shortly after security firm Socket flagged such a phishing email sent to the maintainer of packages with 34 million combined weekly downloads, several popular NPM packages were reported as compromised as part of the phishing campaign.
Malicious versions of these packages – including eslint-config-prettier, eslint-plugin-prettier, napi-postinstall, @pkgr/core, and synckit – that were published to the registry, without corresponding commits on GitHub, attempted to execute a malicious DLL on Windows systems.
“The maintainer confirmed their NPM token was compromised via the npnjs.com phishing email. The attackers used the stolen credentials to publish malicious versions of multiple packages without touching the GitHub repos, making the attack harder to spot,” Socket notes.
Prettier and ESLint integrations are used across thousands of projects, and the impact of this compromise could be devastating, as the deployed malware is reportedly difficult to remove.
Shortly after, software engineer Jordan Harband warned that the ‘is’ package, which has well over 2 million weekly downloads, was also compromised. Fully cross-platform, the package can run on Windows, Linux, and macOS, suggesting that the attackers were likely looking to expand their reach.
“The old owner was somehow removed from the NPM package, and emailed me to be re-added. Everything seemed normal, so I obliged (irritated [that] the NPM would remove an owner without notifying the other owners) and the next morning this was published,” he explained.
The got-fetch package, which has over 20,000 weekly downloads, was also compromised as part of the campaign, Socket says.
According to DeceptIQ founder and CEO Rad Kawar, the attackers likely extracted developer email addresses from package metadata, set up the necessary infrastructure, and built a loader and credential stealer to be used in the supply chain attack.
Kawar explains that the attackers likely abused the NPM authentication mechanism to generate login links and steal access tokens that do not expire, pointing out that the developer is never notified that the requested token was requested on a different machine.
The malicious code injected into eslint-config-prettier was a loader that led to the deployment of Scavenger malware when the package is executed, Canadian cybersecurity startup Invoke RE explains.
The loader was compiled on the same day that the malicious package was published to the registry and contained various anti-analysis and anti-detection techniques.
The loader was seen requesting a payload from its command-and-control (C&C) server, which turned out to be an information stealer targeting Chromium-based browsers.
Dubbed Scavenger, the malware extracts information related to browser extensions, cached data from ServiceWorkerCache and DawnWebGPUCache, and browser history. Reportedly, it can also disable security alerts in Chrome.
Related: Malicious NPM Packages Disguised as Express Utilities Allow Attackers to Wipe Systems
Related: Ongoing Campaign Uses 60 NPM Packages to Steal Data
Related: Popular Scraping Tool’s NPM Package Compromised in Supply Chain Attack
Related: Malicious NPM Packages Target Cursor AI’s macOS Users
