CybserSecurity News

Tag: Eslint

  • npm Supply Chain Attack Exposes Devs to “Scavenger” Malware Via Phished Accounts

    A major incident has rocked the npm ecosystem: the widely-used package eslint-config-prettier suddenly received an update devoid of any corresponding changes on GitHub. Developers quickly grew suspicious—and with good reason. The package’s maintainer later revealed that he had fallen victim to a phishing attack, resulting in the compromise of his account.

    The attackers exploited this access to publish tainted versions not only of eslint-config-prettier, but also of several other popular packages including eslint-plugin-prettier, snyckit, @pkgr/core, and napi-postinstall. These packages are deeply integrated into the build pipelines of numerous projects, making the attack particularly insidious—malicious code was injected into systems automatically during dependency installation.

    The malware was introduced via an install.js script that executed a DLL payload. This malicious program, dubbed Scavenger, was engineered for stealth and resilience against analysis. It performed checks to detect virtual machines, hunted for debugging and sandboxing tools, obfuscated system calls, and encrypted internal strings. Such measures rendered it exceptionally elusive, even for advanced antivirus engines and monitoring systems.

    Upon activation, Scavenger established a connection with command-and-control servers to retrieve additional instructions. In its second phase, it harvested sensitive data from Chromium-based browsers: browsing history, extensions, session tokens, and authentication credentials. This trove of information could then be weaponized for account hijacking and follow-on attacks against broader infrastructure.

    Particular scrutiny fell on the build artifacts—infected versions contained folder names and debugging paths referencing “SCVNGR”, as well as poorly crafted system utility calls. These breadcrumbs suggest haste or insufficient sophistication, despite the overall complexity of the malware.

    The initial breach occurred through a counterfeit email, in which the attackers employed device-code authorization—a method that bypasses two-factor authentication. Experts note that the operation was meticulously orchestrated: beginning with phishing, followed by a seamless npm package swap, and culminating in the silent exfiltration of user data.

    This episode serves as yet another stark reminder: even the most trusted libraries can, without warning, become conduits for devastating attacks.

  • npm Supply Chain Attack Exploited in the Wild – Phishing Steals Maintainer Tokens, Injects Malware into Popular Packages

    Hackers have successfully injected malicious code into popular npm packages by leveraging a phishing campaign against project maintainers. The attackers orchestrated a targeted campaign aimed at developers stewarding key projects and managed to steal their npm access tokens. With full control over the compromised accounts, they uploaded trojanized versions of libraries directly into the official registry—bypassing GitHub repositories entirely, leaving no trace in the form of commits or pull requests.

    According to security firm Socket, the affected packages include widely used modules such as eslint-config-prettier, eslint-plugin-prettier, synckit, @pkgr/core, and napi-postinstall. These tainted versions were published under the legitimate names of the packages, potentially infiltrating the workflows of thousands of unsuspecting developers. The embedded malware was designed to execute DLL files on Windows systems, thereby enabling remote arbitrary code execution on compromised machines.

    The phishing attack began with deceptive emails crafted to resemble official communication from npm. These emails urged recipients to verify their email addresses, directing them to a lookalike domain—npnjs.com—intended to mimic the legitimate npmjs.com. Victims were then lured into entering credentials on a forged login page that perfectly replicated the appearance of the real one.

    Socket warns that such intrusions pose an existential threat to the broader software supply chain, as malware introduced via dependencies can propagate silently and persist undetected for extended periods. Developers are urged to immediately audit their dependencies and revert to safe versions if any of the affected modules were included. Enabling two-factor authentication and employing scoped tokens instead of conventional passwords when publishing packages is also strongly recommended.

    Amid this incident, researchers uncovered a secondary wave of attacks involving 28 protest-themed packages uploaded to the npm registry. These modules were designed to disable mouse functionality on websites with Russian or Belarusian domains and play the Ukrainian national anthem in an endless loop. The malware activated only if the browser was set to Russian language preferences and the user revisited the targeted site—rendering the attack highly selective.

    As noted by researcher Olivia Brown, such malicious activity can remain hidden for extended periods, deeply embedded within nested dependencies. The true impact may only surface weeks after the initial compromise.

    Developers are strongly advised to purge the identified packages and conduct a comprehensive system audit to detect signs of compromise if they were previously installed.