NPM ‘is’ Package with 2.8M Weekly Downloads Exploited in Attack on Developers

The popular npm package ‘is’, which has about 2.8 million weekly downloads, has been taken over by threat actors in a sophisticated escalation of a phishing effort that was first disclosed last Friday.

The attack began with emails spoofing npm’s [email protected] address, directing developers to a typosquatted domain, npnjs.com a near-identical proxy of the legitimate npmjs.com site designed to harvest credentials via a tokenized login link.

This semi-targeted operation focused on high-profile maintainers, including those overseeing packages with tens of millions of collective downloads.

The phishing emails bypassed some filters due to absent DMARC and SPF records on npmjs.org, as highlighted by React curator Sébastien Lorber, allowing spoofed messages to reach inboxes and enabling attackers to steal npm tokens.

Once compromised, these tokens facilitated the publication of malicious versions across multiple packages, automating malware distribution through dependency resolution in developer workflows and CI/CD pipelines.

Escalating Phishing Campaign

The campaign’s pivot to package hijacking underscores a broader supply chain assault, with attackers embedding payloads in trusted libraries.

Notably, the ‘is’ package providing utility functions for type checking and validation was altered in versions 3.3.1 and 5.0.0 to include a cross-platform JavaScript malware loader.

This loader, detected by Socket’s AI scanner, employs heavy obfuscation with a custom 94-character alphabet decoder to reconstruct and execute payloads in memory via ‘new Function’, evading disk-based forensics.

Upon activation in Node.js environments (version 12+ on macOS, Linux, or Windows), it fingerprints the host by querying the ‘os’ module for details like hostname, platform, and CPU architecture, while capturing all environment variables from ‘process.env’.

It then dynamically imports the ‘ws’ library to establish a WebSocket connection to a threat actor-controlled endpoint, exfiltrating data and enabling real-time remote code execution.

Any incoming WebSocket message is treated as executable JavaScript, granting attackers an interactive shell with full filesystem and network privileges equivalent to the host process.

This allows harvesting of sensitive artifacts such as .npmrc files, Git remotes, and potentially SSH keys, with persistence achieved by self-overwriting the package’s index.js file necessitating lockfile resets for complete removal.

Malware Analysis

Reverse engineering by Humpty’s RE Blog exposed a complementary Windows-specific payload, dubbed Scavenger, hidden in related packages like eslint-config-prettier.

This DLL (node-gyp.dll) leverages anti-analysis techniques, indirect syscalls, and encrypted C2 communications to steal browser data, including Chrome extensions and session caches.

The multi-payload approach JavaScript for broad compatibility and DLL for targeted Windows exfiltration maximizes infection reach, contrasting with Scavenger’s platform limitations.

Additional hijacked packages include eslint-plugin-prettier, synckit, @pkgr/core, napi-postinstall, and got-fetch, with malicious versions introducing similar loaders or infostealers.

According to the report, The impact has been severe, as evidenced by affected developers on Hacker News reporting Chrome security flag tampering, potential credential compromises, and the need for extreme remediation like full SSD replacements and OS reinstalls.

Blind dependency updates have proven risky, with malware persisting beyond simple rollbacks by tampering with systems and exfiltrating keys.

Maintainers like Jordan Harband confirmed the ‘is’ compromise stemmed from a co-maintainer’s account hijack, likely via the same phishing vector, highlighting npm’s notification gaps.

Defenders are urged to enable two-factor authentication, use scoped tokens, and employ tools like Socket’s GitHub App or Safe npm CLI for real-time threat detection across 70+ supply chain risk indicators.

Indicators of Compromise (IOCs)

Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates!