A recent software supply chain attack has raised alarms in the cybersecurity community, after threat actors successfully injected malware into several widely used npm packages by stealing authentication tokens from project maintainers through a phishing campaign.

According to findings by Socket, attackers obtained npm tokens by luring maintainers into clicking on a malicious link that mimicked the official npm website. The phishing emails, spoofed as if sent from “support@npmjs[.]org,” used the subject line “Please verify your email address” and redirected users to a fake npm login page hosted at “npnjs[.]com.”

Once the attackers captured these credentials, they published compromised versions of the affected packages directly to the npm registry — bypassing traditional development workflows such as GitHub pull requests or commits.

Affected Packages and Versions

The following npm packages were confirmed to be impacted:

• eslint-config-prettier: 8.10.1, 9.1.1, 10.1.6, 10.1.7
• eslint-plugin-prettier: 4.2.2, 4.2.3
• synckit: 0.11.9
• @pkgr/core: 0.2.8
• napi-postinstall: 0.3.1

The malicious code embedded in these versions was designed to execute a DLL file on Windows systems, potentially enabling remote code execution, posing a serious threat to developers and production environments alike.

Recommendations for Developers

Developers using any of the affected packages should verify the versions installed and immediately roll back to safe versions. Project maintainers are strongly advised to:

• Enable two-factor authentication (2FA) on their npm accounts.
• Use scoped tokens instead of passwords for publishing.
• Monitor their projects for suspicious activity or unauthorized package updates.

Socket noted, “This incident highlights how phishing attacks against maintainers can rapidly escalate into widespread threats across the ecosystem.”

Related Threats: Protestware and Chaos RAT

In parallel, researchers observed a separate campaign flooding npm with 28 protest-themed packages targeting websites with Russian or Belarusian domains. These packages attempt to disable mouse input and continuously play the Ukrainian national anthem — but only for users whose browsers are set to Russian and who revisit the same site multiple times.

Security researcher Olivia Brown commented, “This protestware demonstrates how developer actions buried deep in dependencies can go unnoticed for weeks before surfacing.”

Meanwhile, the Arch Linux team also took action by removing three packages from the AUR (Arch User Repository) after discovering they were installing a remote access trojan (Chaos RAT) from a GitHub repository that has since been taken down. The affected packages — librewolf-fix-bin, firefox-patch-bin, and zen-browser-patched-bin — were uploaded by a user named danikpapas.

Arch Linux maintainers advise users who installed these packages to remove them immediately and take necessary security precautions to ensure their systems haven’t been compromised.

Source: https://thehackernews.com/2025/07/malware-injected-into-6-npm-packages.html