Threat Actors Compromise Popular npm Packages to Steal Maintainers’ Tokens

Threat actors have leveraged a phishing campaign targeting npm package maintainers, resulting in the compromise of widely used JavaScript tooling libraries.

The campaign, first reported on July 18, 2025, utilizes a typosquatted domain, npnjs.com, to mimic legitimate npm communications and trick developers into surrendering their authentication tokens.

This multi-stage operation begins with automated emails scraped from publicly available npm metadata, such as registration details and maintainer information, enabling attackers to curate targeted lists of high-value individuals responsible for popular repositories.

Once credentials are harvested, adversaries exploit the stolen npm tokens to publish malicious package versions directly to the npm registry, bypassing GitHub repositories and associated code review processes.

This approach renders the intrusions particularly stealthy, as no corresponding commits or pull requests appear in the source control systems, delaying detection by automated monitoring tools.

Phishing Attack Exploits Typosquatted Domain

A prominent casualty of this campaign involves the Prettier ecosystem, where packages like eslint-config-prettier and eslint-plugin-prettier were infiltrated.

Maintainers confirmed that a phishing email from the bogus npnjs.com domain led to the theft of an npm token, allowing unauthorized publication of tainted releases.

Specifically, versions such as eslint-config-prettier 8.10.1, 9.1.1, 10.1.6, and 10.1.7; eslint-plugin-prettier 4.2.2 and 4.2.3; synckit 0.11.9; @pkgr/core 0.2.8; and napi-postinstall 0.3.1 were injected with malicious payloads.

According to the Report, these alterations included Windows-specific exploits that attempted to load a DLL file, node-gyp.dll, via the rundll32 utility, potentially enabling remote code execution on affected systems.

The malware’s design focused on post-installation scripts, which could execute arbitrary code during dependency resolution in Node.js environments, amplifying the risk for downstream consumers reliant on automated dependency managers like Dependabot or Renovate.

Ecosystem-Wide Implications

The fallout underscores the vulnerabilities inherent in open-source supply chains, where tools like Prettier and ESLint integrations permeate thousands of projects, facilitating automatic ingestion of “latest” tagged versions through CI/CD pipelines.

This incident exemplifies a textbook credential-stuffing escalation: phishing harvests tokens, attackers publish rogue artifacts, and ecosystems propagate malware via unpinned dependencies.

In response, the affected maintainer swiftly revoked the compromised token, rotated all credentials, deprecated the malicious versions to deter automated upgrades, and collaborated with npm support to purge the tainted releases from the registry.

However, the window of exposure spanning mere hours highlights the speed at which such attacks can disseminate, potentially compromising build environments and developer workstations before mitigations take effect.

For developers and organizations, immediate actions include auditing package lockfiles for the listed vulnerable versions and reverting to safe baselines, such as eslint-config-prettier 10.1.5 or prior.

Thorough sanitation involves purging node_modules directories, clearing npm caches, and reinstalling from verified sources.

Proactively, enabling two-factor authentication (2FA) on npm accounts is critical to thwart token theft, while pinning exact package versions in production and CI configurations mitigates risks from floating tags.

Security tools that scan for anomalous behaviors, like unexpected install scripts or embedded binaries, can provide early warnings, as demonstrated by platforms monitoring npm for real-time threat detection.

As this campaign continues to unfold, with expectations of additional maintainer compromises from scraped metadata, the npm ecosystem faces an ongoing threat vector that demands heightened vigilance and robust credential hygiene to prevent further supply chain disruptions.

Get Free Ultimate SOC Requirements Checklist Before you build, buy, or switch your SOC for 2025 - Download Now