Popular NPM Package 'is' Hijacked in Supply Chain Attack, Infects Millions of Developers
Share this article
Popular 'is' NPM Package Hijacked in Supply Chain Attack, Infects Millions of Developers
The JavaScript ecosystem faces yet another critical supply chain crisis after the widely used 'is' library—a dependency in countless development tools, testing frameworks, and CLI projects—was compromised to deliver cross-platform malware. With over 2.8 million weekly downloads, this utility’s compromise grants attackers remote control over infected systems, exposing a glaring vulnerability in open-source infrastructure.
Anatomy of an Ecosystem Breach
On July 19, 2025, maintainer John Harband confirmed that versions 3.3.1 to 5.0.0 contained malicious code, uploaded via hijacked accounts after a phishing campaign targeted npm maintainers. Attackers used the domain 'npnjs[.]com' (a typosquat of npmjs.com) to steal credentials, then silently altered package ownership. The tainted versions remained live for six critical hours before removal.
Maintainer accounts were compromised via phishing, enabling unauthorized package updates.
Malware Mechanics: Backdoors and Data Theft
According to researchers at Socket, the 'is' package delivered a JavaScript loader establishing a WebSocket-based backdoor:
// Malware workflow pseudocode
const osData = collectHostDetails(); // Hostname, OS, CPU
const envVars = stealEnvironmentVars(); // process.env
exfiltrateDataViaWebSocket(osData, envVars);
// Attackers gain remote code execution:
onMessageReceived((maliciousCode) => {
eval(maliciousCode); // Executes arbitrary commands
});
This grants attackers an interactive remote shell, enabling real-time code execution. Concurrently, compromised packages like eslint-config-prettier and got-fetch deployed 'Scavanger'—a Windows infostealer harvesting browser data using evasion tactics like encrypted C2 traffic and indirect syscalls.
Broader Campaign: Multiple Packages Compromised
The same attack impacted several high-dependency packages:
- eslint-config-prettier (v8.10.1, 9.1.1, 10.1.6, 10.1.7)
- eslint-plugin-prettier (v4.2.2, 4.2.3)
- synckit (v0.11.9)
- @pkgr/core (v0.2.8)
Evidence suggests attackers retain additional compromised credentials and may deploy stealthier payloads soon.
Mitigation and Ecosystem Vigilance
Maintainers must:
- Immediately reset npm passwords and rotate API tokens
- Enable two-factor authentication (2FA)
Developers should:
- Revert to pre-July 18, 2025 versions (v3.3.0 or earlier for 'is')
- Disable auto-updates and enforce dependency lockfiles
- Audit node_modules for suspicious activity
The incident underscores open-source's fragile trust model—where a single hijacked account can jeopardize millions of systems. As supply chain attacks evolve, proactive credential hygiene and immutable builds become non-negotiable.
Source: BleepingComputer