Ethical Hacking News
Popular JavaScript libraries were hijacked via phishing to drop malware, leaving millions of users vulnerable. The attack involved compromised npm packages and a sophisticated postinstall script that ran on Windows machines.
The recent npm phishing scam targeted developers of popular JavaScript libraries, leaving millions of users vulnerable to malware. A targeted phishing attack was used to gain access to the maintainer's npm token and publish compromised versions of two popular packages. The affected versions were downloaded over 30 million times weekly, putting millions of users at risk. A postinstall script ran on Windows machines, executing a Trojan DLL that attempted to execute malicious code. The incident highlights the vulnerability of the open-source ecosystem and the importance of maintainer security. Developers are advised to avoid installing affected versions and to verify their package-lock.json or yarn.lock files for references to compromised packages. User-specific actions include checking CI logs, rotating secrets, and remaining vigilant against emerging threats.
In recent days, a sophisticated phishing scam has targeted developers of popular JavaScript libraries, leaving millions of users vulnerable to malware. The attack involved compromised npm packages hijacked via phishing, which were then used to drop malicious code on Windows machines.
The incident began when the maintainer of two popular npm packages, eslint-config-prettier and eslint-plugin-prettier, fell victim to a targeted phishing attack. The attacker spoofed an email from "support@npmjs.com," but the link in it led to an illicit npnjs[.]com domain. This allowed the unauthorized party to gain access to the maintainer's npm token and publish compromised versions of the packages.
The affected versions, 8.10.1, 9.1.1, 10.1.6, and 10.1.7 of eslint-config-prettier, were downloaded over 30 million times weekly. Meanwhile, another package, eslint-plugin-prettier, was targeted with the same malicious code. The attacker used stolen credentials to publish multiple unauthorized versions of the packages, which contained a postinstall script that ran as soon as the package was installed.
This script, named "install.js," contained a suspicious function called logDiskSpace(), which attempted to execute a DLL called node-gyp.dll via the rundll32 Windows system process. The DLL has been identified as a recognized Trojan, with a detection score of 19/72 on VirusTotal.
The incident highlights the vulnerability of the open-source ecosystem and the importance of maintainer security. As the OWASP Foundation notes, "One wrong click is enough to put millions of users at risk." This attack demonstrates how social engineering tactics can be used to compromise the security of popular libraries and leave users vulnerable to malware.
To mitigate the risk, affected developers are advised not to install versions 8.10.1, 9.1.1, 10.1.6, and 10.1.7 of eslint-config-prettier or versions 4.2.2 and 4.2.3 of eslint-plugin-prettier. Users can also verify their package-lock.json or yarn.lock files for references to these affected versions.
In addition, users who deployed builds after July 18th are advised to check CI logs and runtime environments for signs of compromise, especially on Windows machines. Furthermore, users should consider rotating any secrets that may have been exposed during affected build processes.
The incident is part of a larger trend of supply chain attacks targeting popular libraries and leaving millions of users vulnerable to malware. In recent months, more than ten widely used npm libraries were compromised, and 17 Gluestack packages with over a million weekly downloads were hijacked to deploy a Remote Access Trojan (RAT).
As the threat landscape continues to evolve, it is essential for developers and users to remain vigilant and take proactive measures to protect themselves against such attacks. By following best practices and staying informed about emerging threats, users can reduce their risk of falling victim to sophisticated phishing scams like this one.
In conclusion, the recent npm phishing scam highlights the importance of maintainer security and the need for vigilance among developers and users. As the open-source ecosystem continues to grow, it is essential that we prioritize security and take proactive measures to protect ourselves against such threats.
Related Information:
https://www.ethicalhackingnews.com/articles/The-Great-npm-Phishing-Scam-How-a-Single-Click-Vulnerized-Millions-ehn.shtml
https://www.bleepingcomputer.com/news/security/popular-npm-linter-packages-hijacked-via-phishing-to-drop-malware/
Published: Sat Jul 19 08:05:41 2025 by llama3.2 3B Q4_K_M
