Full Report
A phishing attack targeting a popular npm maintainer led to the compromise of several widely used packages, including eslint-config-prettier, eslint-plugin-prettier, synckit, @pkgr/core, and others. The attacker stole the maintainer’s npm token via a spoofed email and used it ...
Analysis Summary
# Incident Report: npm Supply Chain Compromise via Maintainer Phishing
## Executive Summary
A sophisticated phishing attack targeted a popular npm maintainer, successfully stealing their npm authentication token via a spoofed email. This access resulted in the compromise and malicious publication of several widely used npm packages, including `eslint-config-prettier` and `eslint-plugin-prettier`. The attacker leveraged postinstall scripts to distribute Windows malware, resulting in a significant supply chain compromise affecting downstream users.
## Incident Details
- Discovery Date: Not explicitly stated, but inferred shortly after the publication of malicious versions (References suggest reporting around July 2025).
- Incident Date: Circa July 2025 (Date of malicious publication).
- Affected Organization: Popular npm maintainer (Specific name not disclosed in the context).
- Sector: Software Development / Open Source Infrastructure.
- Geography: Global (Due to the nature of open-source package distribution).
## Timeline of Events
### Initial Access
- Date/Time: Before malicious publication (July 2025).
- Vector: Phishing.
- Details: Attacker sent a spoofed email convincing the maintainer to divulge their npm authentication token.
### Lateral Movement
- **Context Implication:** The attacker immediately used the stolen token to gain authorized access to the affected npm accounts and packages. No complex internal network lateral movement is implied; access was gained directly via credentials for the software registry.
### Data Exfiltration/Impact
- **Impact:** Malicious versions of packages (`eslint-config-prettier`, `eslint-plugin-prettier`, `synckit`, `@pkgr/core`, etc.) were published to the npm registry.
- **Payload:** The new versions contained postinstall scripts designed to deploy Windows malware. A follow-up revealed expansion to PyPI (`num2words`).
### Detection & Response
- **Detection:** The incident was eventually discovered through external reporting or monitoring by security researchers/teams (implied by investigation reports).
- **Response actions taken:** Not explicitly detailed, but generally involves immediate rollback/deprecating malicious versions, alerting users, and rotating credentials.
## Attack Methodology
- Initial Access: Credential Harvesting via **Phishing** (Spoofed email targeting the maintainer).
- Persistence: Maintained through the stolen, active **npm token**.
- Privilege Escalation: Not applicable at system level; access escalated by obtaining **registry publishing rights**.
- Defense Evasion: Malware leveraged **`rundll32` under a disguised function** to evade standard antivirus engines.
- Credential Access: **npm Access Token Theft** via phishing.
- Discovery: Not specified, likely minimal reconnaissance needed with direct package targeting.
- Lateral Movement: Not applicable (Registry focused).
- Collection: Not specified, but the goal was malicious code distribution.
- Exfiltration: Malicious code/malware distribution to downstream CI/CD pipelines and development machines.
- Impact: Supply chain compromise leading to malware installation on end-user systems.
## Impact Assessment
- Financial: Unknown, but significant indirect costs related to remediation and breach notification for dependent organizations.
- Data Breach: No direct user data breach cited, but integrity breach of critical open-source supply chain dependencies.
- Operational: High risk to any developer or system using the compromised packages.
- Reputational: Significant negative impact on the trust placed in the affected maintainer and the npm ecosystem security.
## Indicators of Compromise
- **Network indicators:** (None explicitly provided in defanged format)
- **File indicators:** Malicious DLLs deployed.
- **Behavioral indicators:** Execution of code via `postinstall` scripts in npm packages; unusual behavior related to `rundll32.exe`.
## Response Actions
- **Containment measures:** Immediate revocation of the compromised npm token(s) and potentially account suspension.
- **Eradication steps:** Removal or deprecation of malicious package versions from the registry.
- **Recovery actions:** Notification to the public regarding the compromised packages and guidance on cleaning affected systems.
## Lessons Learned
- Maintainer credentials (especially platform-specific tokens) are a high-value target for supply chain infiltration.
- Reliance on single-factor authentication (or token exposure via non-MFA channels) for publishing critical infrastructure is highly risky.
- Postinstall scripts in software packages represent a significant, often unchecked, execution surface.
## Recommendations
- **Mandate Multi-Factor Authentication (MFA)** for all npm account publishing access.
- Utilize **security scanning** (like dependency track or SCA tools) to monitor package versions being installed, specifically looking for known malicious package names.
- Maintain strict access control policies, ensuring registry tokens are short-lived and highly restricted, never shared via standard email channels.
- Implement **tamper-proof code signing** or stricter verification processes for package uploads.