{"id":2360,"date":"2025-08-19T00:57:57","date_gmt":"2025-08-19T00:57:57","guid":{"rendered":"http:\/\/ft365.org\/index.php\/2025\/08\/19\/popular-npm-package-compromised-in-phishing-attack\/"},"modified":"2025-08-19T00:57:57","modified_gmt":"2025-08-19T00:57:57","slug":"popular-npm-package-compromised-in-phishing-attack","status":"publish","type":"post","link":"http:\/\/ft365.org\/index.php\/2025\/08\/19\/popular-npm-package-compromised-in-phishing-attack\/","title":{"rendered":"Popular npm Package Compromised in Phishing Attack"},"content":{"rendered":"
\n

A significant security incident involving the widely used npm package \u201ceslint-config-prettier\u201d has been uncovered.<\/p>\n

The package, downloaded more than 3.5 billion times, was compromised on July 18 after its maintainer fell victim to a phishing campaign. ReversingLabs\u2019\u00a0automated detection system and the Socket research team reported the attack the same day.<\/p>\n

Malicious versions of the package, along with others maintained by the same developer, were published using stolen credentials. The tampered files contained a script designed to drop the Scavenger remote access Trojan (RAT) on Windows systems.<\/p>\n

Although the compromised versions were available for less than two hours, the package\u2019s 36 million weekly downloads meant the potential impact was significant.<\/p>\n

How the Attack Spread<\/h2>\n

According to an advisory published by ReversingLabs last week, the phishing campaign targeted npm maintainers through emails spoofing the official support address.<\/p>\n

Victims were lured to a fake npm site with tokenized URLs \u2013 an indication of deliberate targeting.<\/p>\n

Once the maintainer\u2019s\u00a0credentials were stolen, attackers released infected versions of several related packages, including eslint-plugin-prettier and synckit.<\/p>\n

Read more on supply chain security in open source software: Novel Open Source Supply Chain Attacks Target Banking Sector<\/em><\/p>\n

Complications arose because many projects declare eslint-config-prettier as a direct dependency rather than a devDependency. ReversingLabs identified more than 14,000 such cases, which created an avenue for downstream compromises.<\/p>\n

The Role of Automated Updates<\/h2>\n

Automated tools, such as GitHub\u2019s Dependabot, amplified the damage. These systems can open and merge pull requests to update dependencies without human review.<\/p>\n

Several repositories, including one managed by the European e-bike company Dott, were found to have automatically pulled in malicious versions.<\/p>\n

While GitHub-hosted runners limit persistence, organizations using self-hosted runners may have faced greater risks.<\/p>\n

ReversingLabs detected 46 projects that installed the compromised version during the attack window, including one hosted on a Microsoft-owned repository.<\/p>\n

\u201cEven a narrow exposure window can have large repercussions,\u201d\u00a0the researchers noted.<\/p>\n

Lessons for Developers<\/h2>\n

The incident highlights the challenges of dependency management in modern software development. Automated updating reduces risks from outdated code but can introduce threats when malicious versions slip through.<\/p>\n

ReversingLabs recommended several practices:<\/p>\n