Warning to Developers – Npm Phishing Scams Are Targeting Your Login Details

Developers are facing a sophisticated new threat as cybercriminals launch targeted phishing campaigns against npm package maintainers, using advanced typosquatting techniques to steal credentials and potentially compromise the software supply chain.

A recent incident has revealed the alarming sophistication of these attacks, which specifically target high-value developer accounts that manage millions of package downloads.

Sophisticated Typosquatting Attack Discovered

Security researchers have uncovered a compelling phishing campaign that impersonates npm, the Node.js package registry used by millions of developers worldwide.

The attack utilizes the domain “npnjs.com,” a subtle typosquat that replaces the “m” with “n” – to create a complete clone of the legitimate npm website.

The phishing emails, which spoof the official support@npmjs.org address, contain urgent login requests directing victims to a malicious domain.

These emails feature tokenized URLs such as “https://npnjs.com/login?token=xxxxxx,” suggesting semi-targeted campaigns that may track individual victims or pre-populate login forms to enhance credibility.

In one documented case, attackers targeted a package maintainer responsible for software downloaded 34 million times weekly, highlighting the strategic value of compromising influential developer accounts.

The criminals cleverly incorporated legitimate npmjs.com support links into their phishing emails to enhance authenticity and evade detection.

Technical Analysis Reveals Attack Infrastructure

A forensic examination of the phishing infrastructure reveals multiple security failures and indicators of malicious activity.

The attacks originated from IP address 45.9.148.108, hosted by Nice IT Customers Network through shosting-s0-n1.nicevps.net, a VPS service frequently associated with malicious campaigns.

Security scanners identified the sender’s IP address as compromised, with 27 abuse reports logged on AbuseIPDB and malicious flags from both VirusTotal and the Criminal IP databases.

Email authentication checks revealed complete failures across SPF, DKIM, and DMARC protocols, confirming the messages did not originate from npm’s legitimate servers.

The emails contained suspicious routing through private networks, including internal hops such as “phl-compute-02.internal [10.202.2.42],” and triggered multiple spam detection rules, including SPF_NONE, RDNS_NONE, and VFY_ACCT_NORDNS violations.

Critical Security Recommendations

npm accounts represent high-value targets due to their potential for supply chain attacks, where a single compromised maintainer account could inject malicious code into packages used by countless downstream projects.

The package registry has become a critical infrastructure component, making these attacks particularly dangerous.

Developers should immediately enable two-factor authentication on their npm accounts and use scoped access tokens instead of passwords for package publishing.

Any suspicious verification requests should be treated with extreme caution, as npm rarely initiates unsolicited email verification processes.

Organizations should implement robust email filtering, educate developers about the risks of typosquatting, and establish incident response procedures for suspected credential compromises.

If developers suspect their accounts may be compromised, they should immediately rotate all npm access tokens and review recent account activity.

The npm security team has been notified of these attacks to help protect the broader developer community from similar threats.