Hijacked NPM Package ‘is’ Exposes Millions in JavaScript Supply Chain Breach
A major open-source supply chain attack has compromised the NPM package is, which receives over 2.8 million weekly downloads, injecting malware that enables remote code execution via a WebSocket-based backdoor. The incident began when the package’s maintainer accounts were hijacked through a phishing site impersonating npmjs.com, allowing attackers to push malicious versions (3.3.1 through 5.0.0) before removal six hours later. The is package, a lightweight JavaScript utility used extensively in development tools and backend projects, collected system and environment data, granting attackers interactive remote access to infected machines.
Further investigation revealed that the same threat actors compromised several other popular packages—eslint-plugin-prettier, synckit, @pkgr/core, and others—embedding additional malware such as Scavanger, a Windows-focused infostealer with encrypted command and control capabilities. Security researchers warn that this may be a broader campaign with more compromised credentials and stealthier payloads yet to come. Developers are urged to downgrade affected packages to pre-July 18, 2025, disable auto-updates, rotate credentials, and lock dependencies to prevent further exposure.
