Beware of npm Phishing Emails Targeting Developer Credentials

An developer recently came across a highly advanced phishing email that spoofs the [email protected] address in order to impersonate npm, the Node.js package registry.

The email directed recipients to a malicious link on npnjs.com, a domain cleverly typosquatted to mimic npmjs.com by swapping ‘m’ for ‘n’.

This fake site hosted a complete clone or proxy of the legitimate npm website, designed to steal developer credentials through a deceptive login page.

The phishing URL, structured as https://npnjs.com/login?token=xxxxxx (with the token redacted), likely incorporated unique tokens for tracking clicks, pre-filling victim data, or simulating a legitimate session flow.

This tokenized approach suggests a semi-targeted campaign, potentially aimed at active package maintainers with substantial influence.

In this case, the targeted individual maintained packages amassing 34 million weekly downloads, highlighting the high stakes involved.

Notably, the email included legitimate support links to npmjs.com to enhance credibility, though it was ultimately flagged as spam and diverted from the primary inbox.

The incident has been reported to npm’s security team to bolster defenses against similar supply chain threats.

Technical Findings Reveal Multiple Red Flags

According to the Report, Analysis of the email’s raw headers and security scans uncovered several indicators of malice.

The message originated from IP address 45.9.148.108, hosted on Nice IT Customers Network via the VPS server shosting-s0-n1.nicevps.net, a platform frequently exploited for malicious campaigns.

This IP has accumulated 27 abuse reports on AbuseIPDB and is flagged as suspicious by tools like Criminal IP and VirusTotal.

Authentication protocols failed comprehensively: SPF, DKIM, and DMARC checks all returned negative, confirming the email did not emanate from npm’s authentic servers.

Additional anomalies included unusual private-network hops, such as phl-compute-02.internal at 10.202.2.42, and spam triggers like SPF_NONE, RDNS_NONE, and VFY_ACCT_NORDNS, which routed it to the spam folder.

These elements underscore the attack’s technical sophistication, blending domain spoofing with infrastructure abuse to evade initial detection while mimicking npm’s verification requests something npm rarely initiates unsolicited.

Why npm Accounts Are Prime Targets

npm accounts represent lucrative targets for cybercriminals due to their potential to compromise the software supply chain.

A single breached account could allow attackers to publish malicious packages, infecting millions of downstream projects and amplifying the impact across the ecosystem.

Maintainers, especially those with high-download packages, should exercise extreme caution with unsolicited verification emails, as legitimate npm communications are typically user-initiated.

To safeguard against such threats, enabling two-factor authentication (2FA) is essential, alongside using scoped tokens for package publishing rather than full passwords.

In cases of suspected credential exposure, immediate rotation of npm access tokens is advised.

This phishing attempt, while thwarted by spam filters, exemplifies the evolving sophistication of supply chain attacks, emphasizing the need for vigilance and proactive reporting to platforms like npm to prevent widespread exploitation.

Indicators of Compromise (IoCs)

Get Free Ultimate SOC Requirements Checklist Before you build, buy, or switch your SOC for 2025 - Download Now