Attackers Hijack Trusted npm Packages to Exfiltrate Developer Credentials
July 24th, 2025
Critical
Our Cyber Threat Intelligence Unit has identified a new supply chain attack targeting the JavaScript ecosystem, specifically through compromised popular npm packages. Threat actors have successfully injected malicious code into legitimate packages, which are then unknowingly downloaded and executed by developers and applications. While the underlying threat vector typically warrants a High rating, the fact that legitimate, verified packages were intentionally tampered with significantly amplifies the risk and escalates it to Critical. Given the prevalence of these packages across countless applications and environments, this compromise has the potential for widespread impact, supply chain infiltration, and rapid propagation, necessitating immediate attention and elevated response. The compromised packages were used to deliver hidden payloads capable of data exfiltration, command execution, and system reconnaissance. This campaign highlights the increasing risks posed by software supply chain attacks, where trusted open-source components are exploited to distribute malware.
Technical Details
Attack Type: Supply Chain Attack via npm.
Severity: Critical.
Delivery Method: Compromised npm packages.
Technique: Malicious code injection and obfuscation.
Malicious Packages Identified:
eslint-config-prettier: 8.10.1, 9.1.1, 10.1.6, 10.1.7
eslint-plugin-prettier: 4.2.2, 4.2.3
synckit: 0.11.9
@pkgr/core: 0.2.8
napi-postinstall: 0.3.1
In this campaign, attackers accessed the accounts of npm package maintainers to publish trojanized versions of popular packages. These packages contained obfuscated JavaScript code that:
Collected system and environment information.
Exfiltrated data to attacker-controlled domains.
Executed remote commands via embedded scripts.
Maintained persistence through scheduled tasks or startup entries.
The malicious code was often concealed in post-install scripts or deeply nested dependencies, making detection challenging.
Impact
The compromise of npm packages poses significant risks to developers and organizations, such as:
Unauthorized access to development environments and CI/CD pipelines.
Data leakage, including environment variables, credentials, and tokens.
Execution of arbitrary commands on developer or production systems.
Widespread propagation through downstream dependencies.
Reputational damage for affected package maintainers and projects.
Detection Method
Monitor for unusual behavior during or after npm package installation.
Watch npm package installations for versions known to be compromised (e.g., eslint-config-prettier 8.10.1, 9.1.1, 10.1.6, 10.1.7, and eslint-plugin-prettier 4.2.2, 4.2.3).
Examine package.json and package-lock.json for unexpected scripts or dependencies.
Use static analysis tools to detect obfuscated or suspicious JavaScript code.
Track outbound connections from development environments to unknown domains.
Enable 2FA for npm accounts and review package publishing activity.
Indicators of Compromise
Domain: npnjs[.]com
Recommendations
Immediately review all npm dependencies for recent changes or suspicious activity.
Use package integrity verification tools like npm audit and npm ci.
Enforce strict dependency policies and lockfile management.
Educate developers about supply chain risks and secure coding practices.
Monitor for unusual network activities from development environments.
Report suspicious packages to npm and remove them from your system.
Conclusion
This campaign highlights the crucial importance of vigilance in managing open-source dependencies. By compromising trusted npm packages, attackers can infiltrate development environments and production systems undetected. Implementing proactive supply chain security measures and raising developer awareness are vital to mitigate risks from such rapidly evolving threats. We encourage organizations to adopt a zero-trust approach to third-party code, enforce strict dependency controls, and continuously monitor for signs of compromise.