Full Report
The popular NPM package 'is' has been compromised in a supply chain attack that injected backdoor malware, giving attackers full access to compromised devices. [...]
Analysis Summary
# Incident Report: Malicious Payload Injection in NPM Package 'is'
## Executive Summary
The widely used NPM package 'is' (with 2.8 million weekly downloads) was compromised, resulting in the injection of malware that targeted developers using the dependency. The attack utilized supply chain principles, allowing threat actors to achieve persistent, interactive remote shell control over infected environments and exfiltrate sensitive system information and browser credentials via WebSocket. The primary mitigation involved developers immediately reverting to known safe versions of the package.
## Incident Details
- **Discovery Date:** Not explicitly stated, but the investigation began after malicious activity was observed in the package.
- **Incident Date:** Occurred leading up to the discovery, affecting versions published after July 18, 2025.
- **Affected Organization:** NPM software supply chain (specifically projects relying on the 'is' package).
- **Sector:** Software Development / Technology.
- **Geography:** Global (wherever developers used the affected NPM package).
## Timeline of Events
### Initial Access
- **Date/Time:** Prior to July 18, 2025 (implied, when the malicious version was published).
- **Vector:** Compromise/hijacking of the NPM package 'is' maintainer credentials.
- **Details:** Threat actors successfully published a malicious version of the popular package 'is'.
### Lateral Movement
- **Date/Time:** Post-installation/execution on developer machines.
- **Vector:** Execution within the developer's Node.js environment.
- **Details:** The malware collected system details (hostname, OS, CPU) and environment variables (`process.env`).
### Data Exfiltration/Impact
- **Date/Time:** Upon execution.
- **Vector:** WebSocket communication.
- **Details:** Collected system data and, in related package payloads ('eslint'), data stolen by the Windows infostealer 'Scavanger' (browser credentials/info) were exfiltrated. Furthermore, any data received over the established WebSocket connection was treated as executable JavaScript, granting the attacker an instant, interactive remote shell.
### Detection & Response
- **Date/Time:** Discovery by researchers (e.g., Socket.dev).
- **Vector:** Analysis of the malicious package payload.
- **Details:** Researchers analyzed the payload and uncovered the C2 communication and data collection mechanisms. Response actions recommended immediate credential rotation for maintainers and version rollback for developers.
## Attack Methodology
- **Initial Access:** Supply chain attack via compromised NPM package registry/maintainer account.
- **Persistence:** Achieved through the execution of the malicious dependency code upon running the installed software project.
- **Privilege Escalation:** Not explicitly detailed, but execution implies running with developer-level permissions in the build environment.
- **Defense Evasion:** The malware uses indirect syscalls and encrypted Command and Control (C2) communications. It may also manipulate Chrome flags to avoid detection.
- **Credential Access:** The associated malware payload ('Scavanger') specifically targets sensitive information stored in web browsers.
- **Discovery:** Collection of hostname, OS, CPU details, and all environment variables (`process.env`).
- **Lateral Movement:** Not explicitly detailed beyond exploitation on the initial infected build machine.
- **Collection:** System metrics and environment variables; browser data via 'Scavanger'.
- **Exfiltration:** Data sent over a WebSocket connection established dynamically using the `ws` library.
- **Impact:** Establishment of an interactive remote shell and theft of credentials and system information.
## Impact Assessment
- **Financial:** Not quantified, but potential costs associated with remediation, credential resets, and breach investigation.
- **Data Breach:** Sensitive system information (OS, hostname, env variables) and web browser credentials/sensitive stored information.
- **Operational:** Risk to developer environments and the integrity of code builds relying on the compromised dependency.
- **Reputational:** Potential damage to trust in the NPM ecosystem and affected downstream applications.
## Indicators of Compromise
- **Network Indicators:** Exfiltration attempts via dynamic WebSocket connections to C2 servers.
- **File Indicators:** Presence of the injected malicious code within the 'is' package source files (published after July 18, 2025).
- **Behavioral Indicators:** Attempted collection of `os` module details and `process.env` variables; dynamic import of the `ws` library for external communication; execution of arbitrary code received over the established socket.
## Response Actions
- **Containment:** Immediate advice provided to developers to **turn off auto-updating** for NPM dependencies and **use lockfiles** to pin versions to known safe releases prior to July 18, 2025.
- **Eradication:** Advised NPM package maintainers to **reset their passwords and rotate all tokens immediately**.
- **Recovery:** Developers must **delete current installations** of the compromised package and install the safe version range.
## Lessons Learned
- The inherent risk of supply chain attacks targeting widely adopted, high-download count dependencies continues to be a critical vulnerability vector.
- Malicious code incorporated into legitimate dependencies can grant sophisticated, interactive remote access (interactive remote shell).
- Relying solely on automatic dependency updates exacerbates exposure time during compromise events.
## Recommendations
- All NPM package maintainers associated with popular libraries must **immediately reset passwords and rotate access tokens/API keys**.
- Developers should **disable auto-updating** for production dependencies if security vetting is not instantaneous.
- Implement **lockfiles** (e.g., `package-lock.json`) to explicitly control and freeze dependency versions to those verified as safe.
- Regularly audit dependencies for unusual behaviors, especially dynamic network connections or environment variable harvesting.