Popular JavaScript Libraries Compromised in Targeted Supply Chain Attack via Phishing

A targeted phishing attack led to the compromise of several widely used npm packages, including eslint-config-prettier—downloaded over 30 million times weekly—after the maintainer’s credentials were stolen. Unauthorized package versions were published with malicious postinstall scripts that executed trojanized DLLs (node-gyp.dll and crashreporter.dll) on Windows machines, enabling malware delivery. The attacker used spoofed emails imitating npm support to steal the maintainer’s token, which was then used to inject malware into packages like eslint-plugin-prettier, synckit, @pkgr/core, napi-postinstall, and got-fetch.

Security researchers traced identical behaviour across multiple libraries, suggesting a coordinated supply chain campaign. The affected versions have now been deprecated, and users are urged to audit their lockfiles, CI logs, and Windows build environments for signs of compromise. This attack follows a string of recent incidents exploiting the open-source ecosystem’s reliance on maintainer trust, once again spotlighting the urgent need for stronger protections against credential theft and post-publish tampering.

www.bleepingcomputer.com/news/secu…