npm Maintainers Hit as Hackers Inject Code in Popular Packages

Threat actors launched a targeted phishing campaign that compromised multiple popular npm packages, aiming to steal authentication tokens from project maintainers. The attackers lured victims through a typosquatted domain, npnjs.com, which mimicked the official npmjs.org site. This supply chain attack saw npm maintainers hit as hackers used stolen credentials to publish malicious packages directly to the npm registry.

Socket.dev researchers discovered the campaign after spotting suspicious releases of eslint-config-prettier and eslint-plugin-prettier without corresponding GitHub commits. Additional compromised packages included synckit, @pkgr/core, and napi-postinstall. The malware targeted Windows systems, executing remote commands via a DLL file through rundll32, allowing full system control. Attackers exploited npm’s metadata to harvest email addresses and build precise target lists.

By embedding platform-specific payloads, the malware achieved persistence while evading detection on non-Windows systems. The incident underscores the growing threat to open-source ecosystems.

Read the full report for more details:

Threat Actors Hijack Popular npm Packages to Steal The Project Maintainers’ npm Tokens