Threat Actors Abuse npm Developer Accounts Hijacked to Spread Malicious Packages

A sophisticated phishing campaign targeting the maintainer of eslint-config-prettier, a widely-used npm package with over 3.5 billion downloads, resulted in malicious code being distributed to thousands of developer projects worldwide.

The incident, discovered on July 18 by ReversingLabs’ automated threat detection system, highlights critical vulnerabilities in modern software development practices, particularly the risks associated with automated dependency updating tools.

Phishing Hits Development Tool

The attack began with a carefully crafted phishing email that impersonated npm’s official support team, using a spoofed address and directing victims to a complete replica of npm’s website hosted on a malicious domain.

The maintainer of eslint-config-prettier fell victim to this deception, providing attackers with credentials to publish unauthorized versions of several packages under his control.

Within hours of gaining access, the attackers published malicious versions of multiple packages, including eslint-config-prettier, eslint-plugin-prettier, synckit, and others.

These compromised packages contained postinstall scripts ...