NPM ‘is’ Package with 2.8M Weekly Downloads Exploited in Attack on Developers

The popular npm package ‘is’, which has about 2.8 million weekly downloads, has been taken over by threat actors in a sophisticated escalation of a phishing effort that was first disclosed last Friday.

The attack began with emails spoofing npm’s support@npmjs.org address, directing developers to a typosquatted domain, npnjs.com a near-identical proxy of the legitimate npmjs.com site designed to harvest credentials via a tokenized login link.

This semi-targeted operation focused on high-profile maintainers, including those overseeing packages with tens of millions of collective downloads.

The phishing emails bypassed some filters due to absent DMARC and SPF records on npmjs.org, as highlighted by React curator Sébastien Lorber, allowing spoofed messages to reach inboxes and enabling attackers to steal npm tokens.

Once compromised, these tokens facilitated the publication of malicious versions across multiple packages, automating malware distribution through dependency resolution in developer workflows and CI ...