Phishing Attack on Popular npm Package Triggers Supply Chain Compromise

A recent investigation by ReversingLabs has revealed how a targeted phishing attack led to the compromise of a widely used npm package — eslint-config-prettier — putting thousands of downstream development projects at risk. The package, which boasts over 3.5 billion downloads and 12,000 dependencies, was hijacked after the maintainer fell victim to a sophisticated phishing campaign.

According to ReversingLabs, “malicious versions of eslint-config-prettier were published from the maintainer’s account that was compromised in a well-crafted phishing campaign.” The phishing emails spoofed the official npm support address and directed victims to a fake website mimicking npm’s legitimate interface. The stolen credentials were then used to publish malicious versions of eslint-config-prettier, along with other packages such as eslint-plugin-prettier, synckit, @pkgr/core, and napi-postinstall.

The first malicious version appeared on July 18 at 15:51 GMT and was removed just two hours later. Despite this brief window, the potential impact was significant due to the package’s high download frequency. The compromised versions contained a postinstall script that dropped a Windows PE DLL file, delivering the Scavenger remote access trojan (RAT).

ReversingLabs noted that, “even a narrow window of compromise can have large repercussions”, especially when automated update mechanisms are in play.

One key factor amplifying the attack was the widespread use of automated dependency update tools like GitHub’s Dependabot. While such tools streamline security patching, they can also facilitate the rapid spread of malicious updates.

ReversingLabs observed that in some cases, “Dependabot opened a version upgrade PR and another bot approved and merged it… resulting in the installation of the malicious dependency during PR checks.” This scenario was notably seen in the GitHub repository of Dott, a public bike fleet management company, and even in a Microsoft-owned open-source project.

Though eslint-config-prettier is typically a devDependency, poor workflow configurations meant the malicious code was often executed during builds. The malware, identified as node-gyp.dll, was flagged by only 19 out of 72 antivirus engines on VirusTotal at the time of detection — highlighting the detection gap.

ReversingLabs’ search for the malicious version’s hash revealed 46 GitHub repositories — including a Microsoft project — that had the compromised package in their package-lock.json. The report emphasizes that organizations relying on self-hosted runners with weak configurations are particularly vulnerable, as malicious code may persist beyond the build process.

The incident underscores a critical lesson for the software supply chain: automated updates should never bypass human review. ReversingLabs warns that “leaked GitHub tokens… are becoming a popular target for threat actors”, and in cases like this, they can grant attackers deep access into development environments.

Related Posts:

• Major npm Supply Chain Attack: Phishing Campaign Steals Maintainer Credentials, Injects Malware into Popular Packages
• Popular ‘is’ JavaScript Library & Others Compromised in npm Supply Chain Attack
• PyPI’s New Rule: 2FA Verification for All Project Maintainers
• PyPI Warns of Sophisticated Phishing Campaign Targeting Python Developers
• 11 Russian Linux Kernel Developers Lose Maintainer Status Due to “Compliance Requirements”