Beware of npm Phishing Emails Targeting Developer Credentials

An developer recently came across a highly advanced phishing email that spoofs the support@npmjs.org address in order to impersonate npm, the Node.js package registry.

The email directed recipients to a malicious link on npnjs.com, a domain cleverly typosquatted to mimic npmjs.com by swapping ‘m’ for ‘n’.

This fake site hosted a complete clone or proxy of the legitimate npm website, designed to steal developer credentials through a deceptive login page.

The phishing URL, structured as https://npnjs.com/login?token=xxxxxx (with the token redacted), likely incorporated unique tokens for tracking clicks, pre-filling victim data, or simulating a legitimate session flow.

This tokenized approach suggests a semi-targeted campaign, potentially aimed at active package maintainers with substantial influence.

In this case, the targeted individual maintained packages amassing 34 million weekly downloads, highlighting the high stakes involved.

Notably, the email included legitimate support links to ...