Cybersecurity researchers have issued a warning regarding a supply chain attack that has impacted several widely-used npm packages, wherein malicious code was injected to exploit project maintainers’ credentials. Through a phishing campaign, attackers were able to steal npm tokens, subsequently using them to publish compromised versions of the packages directly to the registry.
The attack specifically affected packages such as eslint-config-prettier (versions 8.10.1, 9.1.1, 10.1.6, and 10.1.7), eslint-plugin-prettier (versions 4.2.2 and 4.2.3), and others like synckit and @pkgr/core. The modified code in these packages attempted to execute a DLL file on Windows machines, opening the door for potential remote code execution.
This incident follows a specific phishing campaign that targeted project maintainers via fake emails impersonating npm. These communications urged recipients to verify their email addresses by clicking on a typosquatted link that closely resembled the legitimate npm site. The phishing emails were made to look genuine, coming from a spoofed npm address, thereby tricking maintainers into disclosing their credentials.
Security experts recommend developers using the affected packages to verify their installed versions and revert to previous safe iterations. Additionally, it is advisable for maintainers to enable two-factor authentication to safeguard their accounts and utilize scoped tokens for package publishing instead of plain passwords.
This alarming incident underscores the potential for phishing attacks targeting software maintainers to escalate into widespread security threats across the software ecosystem. Security researcher Olivia Brown noted that incidents like this expose the vulnerabilities in the software supply chain, highlighting the need for stronger security protocols.