Popular ‘is’ JavaScript Library & Others Compromised in npm Supply Chain Attack
Ddos 
The lightweight JavaScript utility library is is a widely popular project on the NPM platform, boasting over 2.2 million downloads per week. However, on July 19, 2025, its developer fell victim to a phishing attack that compromised account credentials, enabling threat actors to publish malicious versions containing backdoors designed for remote code execution.
The projectβs maintainer, John Harband, reportedly received an email purporting to be from NPMJS, requesting account verification. Upon clicking the embedded link, he was redirected to a phishing site. After unwittingly submitting his credentials, attackers gained direct access to his NPM account.
The attackers subsequently modified the package and injected a backdoor. Analysis revealed that the payload established a WebSocket-based channel enabling remote code execution. Versions is v3.3.1 to v5.0.0 were affected. The malicious packages remained live for approximately six hours before being removed by NPM.
This incident extended beyond a single library. Other projects such as eslint-config-prettier, synckit, @pkgr/core, napi-postinstall, and got-fetch were also compromised, each laced with similar remote access payloadsβindicating that multiple developers had been targeted.
Researchers further identified an information-stealing malware dubbed Scavanger, which appears tailored for Windows NT systems. It is capable of extracting sensitive data from browsers, likely targeting stored cryptocurrency wallet credentials.
Developers leveraging any of the aforementioned packages are strongly advised to audit their dependencies, verify version integrity, and immediately upgrade to sanitized releases. Additionally, maintainers should issue public advisories to alert end users and mitigate potential exposure.
Related Posts:
- PyPI’s New Rule: 2FA Verification for All Project Maintainers
- 11 Russian Linux Kernel Developers Lose Maintainer Status Due to “Compliance Requirements”
- BIND Security Updates: Patch Your DNS Servers Now
- Major npm Supply Chain Attack: Phishing Campaign Steals Maintainer Credentials, Injects Malware into Popular Packages
- Malicious npm Packages Exploiting Typosquatting to Inject SSH Backdoors
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
