Cybersecurity researchers have alerted to a supply chain attack that has targeted popular npm packages via a phishing campaign designed to steal the project maintainers’ npm tokens.
The captured tokens were then used to publish malicious versions of the packages directly to the registry without any source code commits or pull requests on their respective GitHub repositories.
The list of affected packages and their rogue versions, according to Socket, is listed below –
- eslint-config-prettier (versions 8.10.1, 9.1.1, 10.1.6, and 10.1.7)
- eslint-plugin-prettier (versions 4.2.2 and 4.2.3)
- synckit (version 0.11.9)
- @pkgr/core (version 0.2.8)
- napi-postinstall (version 0.3.1)
“The injected code attempted to execute a DLL on Windows machines, potentially allowing remote code execution,” the software supply chain security firm said.
The development comes in the aftermath of a phishing campaign that has been found to send email messages impersonating npm in order to trick project maintainers into clicking on a typosquatted link (“npnjs[.]com,” as opposed to “npmjs[.]com”) that harvested their credentials.
The digital missives, with the subject line “Please verify your email address,” spoofed a legitimate email address associated with npm (“support@npmjs[.]org”), urging recipients to validate their email address by clicking on the embedded link.
The bogus landing page to which the victims are redirected to, per Socket, is a clone of the legitimate npm login page that’s designed to capture their login information.
Developers who use the affected packages are advised to cross-check the versions installed and rollback to a safe version. Project maintainers are recommended to turn on two-factor authentication to secure their accounts, and use scoped tokens instead of passwords for publishing packages.
“This incident shows how quickly phishing attacks on maintainers can escalate into ecosystem-wide threats,” Socket said.
The findings coincide with an unrelated campaign that has flooded npm with 28 packages containing protestware functionality that can disable mouse-based interaction on websites with a Russian or Belarusian domain. They are also engineered to play the Ukrainian national anthem on a loop.
However, the attack only works when the site visitor has their browser language settings set to Russian and, in some cases, the same website is visited a second time, thereby ensuring that only repeat visitors are targeted. The activity marks an expansion of a campaign that was first flagged last month.
“This protestware underscores that actions taken by developers can propagate unnoticed in nested dependencies and may take days or weeks to manifest,” security researcher Olivia Brown said.
Arch Linux Removes 3 AUR Packages that Installed Chaos RAT Malware
It also comes as the Arch Linux team said it has pulled three malicious AUR packages that were uploaded to the Arch User Repository (AUR) and harbored hidden functionality to install a remote access trojan called Chaos RAT from a now-removed GitHub repository.
The affected packages are: “librewolf-fix-bin,” “firefox-patch-bin,” and “zen-browser-patched-bin.” They were published by a user named “danikpapas” on July 16, 2025.
“These packages were installing a script coming from the same GitHub repository that was identified as a Remote Access Trojan (RAT),” the maintainers said. “We strongly encourage users that may have installed one of these packages to remove them from their system and to take the necessary measures in order to ensure they were not compromised.”
