Malware Injected into 7 npm Packages After Maintainer Tokens Stolen in Phishing Attack

Cybersecurity researchers have alerted to a supply chain attack that has targeted popular npm packages via a phishing campaign designed to steal the project maintainers' npm tokens. The captured tokens were then used to publish malicious versions of the packages directly to the registry without any source code commits or pull requests on their respective GitHub repositories. The list of affected packages and their rogue versions, according to Socket, is listed below – eslint-config-prettier (versions 8.10.1, 9.1.1, 10.1.6, and 10.1.7) eslint-plugin-prettier (versions 4.2.2 and 4.2.3) synckit (version 0.11.9) @pkgr/core (version 0.2.8) napi-postinstall (version 0.3.1) got-fetch (versions 5.1.11 and 5.1.12) is (versions 3.3.1 and 5.0.0) "The injected code attempted to execute a DLL on Windows machines, potentially allowing remote code execution," the software supply chain security firm said. The development comes in the aftermath of a phishing campaign that has been found to send email messages impersonating npm in order to trick project maintainers into clicking on a typosquatted link ("npnjs[.]com," as opposed to "npmjs[.]com") that harvested their credentials. The digital missives, with the subject line "Please verify your email address," spoofed a legitimate email address associated with npm ("support@npmjs[.]org"), urging recipients to validate their email address by clicking on the embedded link. The bogus landing page to which the victims are redirected to, per…Read More