Supply Chain Attack Hits NPM Developers via Sophisticated Phishing Campaign

A recent supply chain attack has compromised several widely used NPM packages, resulting in the delivery of malware to unsuspecting developers and users. This campaign highlights the growing threat to open-source software ecosystems and the importance of securing developer credentials.

How the Attack Unfolded

The attack began with a phishing campaign targeting maintainers of popular NPM packages. Cybercriminals cloned the official NPM website, creating a fraudulent version at npnjs[.]com, nearly indistinguishable from the real site. Developers received emails mimicking legitimate NPM security messages, encouraging them to log in via a tokenized URL. These tokens enabled the attackers to pre-fill user credentials and mimic real login behavior, increasing the likelihood of success.

Once developers entered their credentials on the fake site, attackers stole authentication tokens and used them to push malicious package updates directly to the NPM registry—bypassing GitHub repositories to avoid detection.

Popular Packages Compromised

Among the affected packages were:

• eslint-config-prettier

• eslint-plugin-prettier

• napi-postinstall

• @pkgr/core

• synckit

• is

• got-fetch

These packages collectively receive tens of millions of weekly downloads, amplifying the reach of the attack. The malware injected into these packages included a malicious DLL targeting Windows systems and a loader known as Scavenger—a sophisticated information stealer.

How the Malware Works

The injected loader was compiled the same day the malicious packages were published. It contained several anti-analysis and anti-detection techniques, indicating that the attackers aimed to evade both automated and manual scrutiny.

Once executed, the loader contacted a command-and-control (C2) server to retrieve additional payloads. The final payload, Scavenger, is capable of:

• Extracting data from Chromium-based browsers

• Accessing ServiceWorkerCache and DawnWebGPUCache

• Retrieving browser history and extension data

• Disabling Chrome security alerts

This cross-platform malware poses a threat to Windows, Linux, and macOS environments, demonstrating the attackers’ intent to reach a broad audience.

Broader Implications

This campaign underscores several systemic issues:

• Credential reuse and token theft can lead to widespread compromise.

• Lack of visibility into package publishing (outside GitHub) complicates detection.

• NPM’s authentication model, which lacks token-use alerts, enables silent takeovers.

Security researchers believe the attackers mined email addresses from package metadata and used automation to scale the phishing and malware delivery process.

Takeaways

• Developers should enable two-factor authentication (2FA) and rotate tokens regularly.

• Package registries must implement stronger token usage monitoring and notification systems.

• End users and CI pipelines should consider verifying packages using SLSA attestations or reproducible builds when possible.

This incident is a stark reminder that even well-maintained open-source packages can become vectors for supply chain attacks.