Security researchers have identified a sophisticated supply chain attack that infiltrated several widely used npm packages. The breach was facilitated by a targeted phishing operation that successfully stole authentication tokens from package maintainers, granting attackers direct access to publish malicious versions on the npm registry.

According to software supply chain security firm Socket, the attackers bypassed conventional development workflows—no GitHub pull requests or source commits were made, by exploiting stolen tokens to deploy compromised versions of legitimate packages. The impacted packages and versions include:

• eslint-config-prettier (versions 8.10.1, 9.1.1, 10.1.6, and 10.1.7)
• eslint-plugin-prettier (versions 4.2.2 and 4.2.3)
• synckit (version 0.11.9)
• @pkgr/core (version 0.2.8)
• napi-postinstall (version 0.3.1)

The malicious payload was engineered to execute a DLL on Windows systems, potentially enabling remote code execution (RCE), a high-severity threat vector.

The root of the breach lies in a phishing campaign that mimicked legitimate npm communications. Developers were sent emails from a spoofed address, “support@npmjs[.]org,” with a subject urging them to “verify your email address.” The emails linked to a typosquatted domain, “npnjs[.]com,” crafted to resemble the real npm website. Victims who entered their credentials on the cloned login page inadvertently handed over access to their accounts.

Socket emphasized the serious implications of such an incident: “Phishing attacks on open-source maintainers can quickly snowball into ecosystem-wide vulnerabilities.”

Security Recommendations:

• Developers are urged to verify if they are using any of the compromised versions and immediately downgrade or replace them with safe releases.
• Maintainers should enable two-factor authentication (2FA) for their npm accounts and prefer scoped authentication tokens over passwords for package publishing

Protestware Campaign Also Targets npm

In parallel to this incident, a separate campaign has flooded the npm registry with 28 packages containing “protestware” features. These packages attempt to disable mouse functionality on websites with Russian or Belarusian domains and continuously play the Ukrainian national anthem. This behavior is conditional; it only triggers when the user’s browser language is set to Russian and, in some cases, on repeat visits.

This activity builds on a campaign previously identified and signals a growing trend of politically motivated actions infiltrating the open-source ecosystem. Security analyst Olivia Brown cautioned, “Developers must be aware that code buried in nested dependencies can introduce unexpected behavior that surfaces days or even weeks later.”

Malicious AUR Packages Discovered in Arch Linux Repository

Adding to the ongoing concerns around open-source software security, the Arch Linux team recently removed three malicious packages from its Arch User Repository (AUR). These packages, “librewolf-fix-bin,” “firefox-patch-bin,” and “zen-browser-patched-bin,” were uploaded on July 16, 2025, by a user identified as “danikpapas.”

These packages were found to silently download and execute a script from a now-deleted GitHub repository containing the Chaos Remote Access Trojan (RAT). Users who have installed any of these packages are strongly advised to remove them immediately and conduct a thorough system audit to check for potential security compromises.

Final Thoughts

These incidents collectively underscore the growing risk of software supply chain attacks and the importance of adopting secure development and deployment practices. As open-source ecosystems continue to scale, the need for proactive security hygiene from maintainers and users alike has never been greater.