Threat Actors Compromise Popular npm Packages to Steal Maintainers’ Tokens

Threat actors have leveraged a phishing campaign targeting npm package maintainers, resulting in the compromise of widely used JavaScript tooling libraries.

The campaign, first reported on July 18, 2025, utilizes a typosquatted domain, npnjs.com, to mimic legitimate npm communications and trick developers into surrendering their authentication tokens.

This multi-stage operation begins with automated emails scraped from publicly available npm metadata, such as registration details and maintainer information, enabling attackers to curate targeted lists of high-value individuals responsible for popular repositories.

Once credentials are harvested, adversaries exploit the stolen npm tokens to publish malicious package versions directly to the npm registry, bypassing GitHub repositories and associated code review processes.

This approach renders the intrusions particularly stealthy, as no corresponding commits or pull requests appear in the source control systems, delaying detection by automated monitoring tools.

Phishing Attack Exploits Typosquatted Domain

A prominent casualty of this campaign involves the Prettier ecosystem, where packages like eslint-config-prettier and eslint-plugin-prettier were infiltrated.

Maintainers confirmed that a phishing email from the bogus npnjs.com domain led to the theft of an npm token, allowing unauthorized publication of tainted releases.

Specifically, versions such as eslint-config-prettier 8.10.1, 9.1.1, 10.1.6, and 10.1.7; eslint-plugin-prettier 4.2.2 and 4.2.3; synckit 0.11.9; @pkgr/core 0.2.8; and napi-postinstall 0.3.1 were injected with malicious payloads.

According to the Report, these alterations included Windows-specific exploits that attempted to load a DLL file, node-gyp.dll, via the rundll32 utility, potentially enabling remote code execution on affected systems.

The malware’s design focused on post-installation scripts, which could execute arbitrary code during dependency resolution in Node.js environments, amplifying the risk for downstream consumers reliant on automated dependency managers like Dependabot or Renovate.

Ecosystem-Wide Implications

The fallout underscores the vulnerabilities inherent in open-source supply chains, where tools like Prettier and ESLint integrations permeate thousands of projects, facilitating automatic ingestion of “latest” tagged versions through CI/CD pipelines.

This incident exemplifies a textbook credential-stuffing escalation: phishing harvests tokens, attackers publish rogue artifacts, and ecosystems propagate malware via unpinned dependencies.

In response, the affected maintainer swiftly revoked the compromised token, rotated all credentials, deprecated the malicious versions to deter automated upgrades, and collaborated with npm support to purge the tainted releases from the registry.

However, the window of exposure spanning mere hours highlights the speed at which such attacks can disseminate, potentially compromising build environments and developer workstations before mitigations take effect.

For developers and organizations, immediate actions include auditing package lockfiles for the listed vulnerable versions and reverting to safe baselines, such as eslint-config-prettier 10.1.5 or prior.

Thorough sanitation involves purging node_modules directories, clearing npm caches, and reinstalling from verified sources.

Proactively, enabling two-factor authentication (2FA) on npm accounts is critical to thwart token theft, while pinning exact package versions in production and CI configurations mitigates risks from floating tags.

Security tools that scan for anomalous behaviors, like unexpected install scripts or embedded binaries, can provide early warnings, as demonstrated by platforms monitoring npm for real-time threat detection.

As this campaign continues to unfold, with expectations of additional maintainer compromises from scraped metadata, the npm ecosystem faces an ongoing threat vector that demands heightened vigilance and robust credential hygiene to prevent further supply chain disruptions.

Get Free Ultimate SOC Requirements Checklist Before you build, buy, or switch your SOC for 2025 - Download Now

Keep your files stored safely and securely with the SanDisk 2TB Extreme Portable SSD. With over 69,505 ratings and an impressive 4.6 out of 5 stars, this product has been purchased over 8K+ times in the past month. At only $129.99, this Amazon’s Choice product is a must-have for secure file storage.

Help keep private content private with the included password protection featuring 256-bit AES hardware encryption. Order now for just $129.99 on Amazon!

Help Power Techcratic’s Future – Scan To Support

If Techcratic’s content and insights have helped you, consider giving back by supporting the platform with crypto. Every contribution makes a difference, whether it’s for high-quality content, server maintenance, or future updates. Techcratic is constantly evolving, and your support helps drive that progress.

As a solo operator who wears all the hats, creating content, managing the tech, and running the site, your support allows me to stay focused on delivering valuable resources. Your support keeps everything running smoothly and enables me to continue creating the content you love. I’m deeply grateful for your support, it truly means the world to me! Thank you!