Major npm Supply Chain Attack: Phishing Campaign Steals Maintainer Credentials, Injects Malware into Popular Packages

A deceptive and highly targeted phishing campaign has successfully compromised several popular npm packages, including eslint-config-prettier, eslint-plugin-prettier, and synckit, after stealing credentials from a key maintainer. The attack, discovered by engineers at Socket, involved a sophisticated typosquatting domain—npnjs.com—used to harvest npm tokens through a spoofed login interface.

“One of our engineers recently encountered a phishing email that attempted to impersonate npm,” Socket reports. “The email spoofed the support@npmjs.org address and contained a link to npnjs.com (note the ‘n’ instead of ‘m’).”

The phishing email directed recipients to https://npnjs.com/login, a near-exact clone of the legitimate npm website. The attackers even embedded real npmjs.com links in the email to boost credibility. The fake domain was designed to steal login credentials and authentication tokens from unsuspecting maintainers.

“The tokenized URL hints at semi-targeted efforts, potentially focusing on active package maintainers with significant reach.”

The victim in this case maintains packages with over 34 million weekly downloads—a prime target for a supply chain breach.

Once the attacker gained access to the maintainer’s npm token, they published malicious versions of widely used packages directly to the npm registry—bypassing GitHub entirely. This made detection far more difficult.

The following versions were compromised and later flagged as malicious:

• eslint-config-prettier: 8.10.1, 9.1.1, 10.1.6, 10.1.7
• eslint-plugin-prettier: 4.2.2, 4.2.3
• synckit: 0.11.9
• @pkgr/core: 0.2.8
• napi-postinstall: 0.3.1

These packages contained injected code designed to target Windows environments, attempting to load a malicious DLL (node-gyp.dll) via rundll32, which could potentially lead to remote code execution.

“The new versions contained malicious code, including a Windows-specific payload attempting to load node-gyp.dll via rundll32.”

With integrations like Prettier and ESLint used in thousands of projects and CI/CD systems like Dependabot and Renovate automatically pulling in the latest versions, the breach had the potential to silently infect vast numbers of developer environments.

Socket confirmed that these malicious versions were rapidly deprecated and removed, but not before they had already been downloaded by some systems.

The affected maintainer acted quickly:

• Revoked the compromised token
• Marked all bad versions as deprecated
• Coordinated with npm to remove them

Related Posts:

• PyPI’s New Rule: 2FA Verification for All Project Maintainers
• 11 Russian Linux Kernel Developers Lose Maintainer Status Due to “Compliance Requirements”
• BIND Security Updates: Patch Your DNS Servers Now
• [PoC] CVE-2022-32250: Linux Kernel Privilege Escalation Flaw
• Malicious npm Packages Exploiting Typosquatting to Inject SSH Backdoors

Support Our Threat Intelligence

If you find our CVE report and cybersecurity news helpful, consider supporting our work.

Buy Me a Coffee PayPal

Crypto

USDT (TRC20):

TN8BdV8cp4T1Cd28gK9qTAnZknzzuwyUtm Copy

USDT (ERC20):

0x3725e1a7d3bc5765499fa6aaafe307fabcd75bce Copy