Ethical Hacking News
Malicious code has infiltrated popular npm packages via a phishing scam. Cybersecurity researchers at Socket have discovered that hackers impersonated the official npm account in an email message, prompting victims to click on a link that harvested their credentials. This attack highlights the vulnerability of the open-source software supply chain and serves as a warning to developers who use affected packages.
Cybersecurity researchers discovered a supply chain attack on popular npm packages that stole project maintainers' credentials through phishing. The affected npm packages included eslint-config-prettier, eslint-plugin-prettier, synckit, @pkgr/core, and napi-postinstall. The attackers used typosquatted links and spoofed legitimate emails to trick victims into clicking on the link. Developers are advised to check their installed packages and rollback to safe versions, while project maintainers can protect themselves by enabling two-factor authentication and using scoped tokens. The attack highlights the vulnerability of the open-source software supply chain and the importance of security awareness among developers and maintainers.
Cybersecurity researchers at Socket have discovered a supply chain attack that has compromised popular npm packages by stealing project maintainers' npm tokens through a phishing campaign. This malicious activity occurred after hackers impersonated the official npm account in an email message, prompting the victims to click on a link that harvested their credentials.
The affected npm packages include eslint-config-prettier, eslint-plugin-prettier, synckit, @pkgr/core, and napi-postinstall. The injected code in these packages attempted to execute a DLL on Windows machines, potentially allowing remote code execution. This incident highlights the vulnerability of the open-source software supply chain and serves as a warning to developers who use affected packages.
The investigation revealed that the phishing campaign used typosquatted links ("npnjs[.]com") instead of the official npm domain ("npmjs[.]com"). The attackers designed digital missives with the subject line "Please verify your email address," which spoofed legitimate emails associated with the npm account. Upon clicking on the link, victims were redirected to a bogus landing page that captured their login information.
To mitigate this attack, developers using affected packages are advised to cross-check the versions installed and rollback to safe versions. Project maintainers can protect themselves by turning on two-factor authentication for their accounts and using scoped tokens instead of passwords for publishing packages.
Furthermore, cybersecurity experts caution against overlooking phishing attacks on maintainers, as they can quickly escalate into ecosystem-wide threats. This incident serves as a reminder of the importance of security awareness among developers and maintainers of open-source projects.
In addition to the npm package attack, a separate campaign has targeted Arch Linux by uploading malicious AUR packages that installed Chaos RAT malware from a now-removed GitHub repository. The affected packages were "librewolf-fix-bin," "firefox-patch-bin," and "zen-browser-patched-bin." The maintainers of the Arch User Repository (AUR) removed these packages, recommending users to remove them from their systems and take measures to ensure they had not been compromised.
Related Information:
https://www.ethicalhackingnews.com/articles/Malicious-Code-Infiltrates-Popular-npm-Packages-via-Phishing-Scam-ehn.shtml
https://thehackernews.com/2025/07/malware-injected-into-6-npm-packages.html
Published: Mon Jul 21 19:46:35 2025 by llama3.2 3B Q4_K_M
