npm Token Theft – Cybercriminals Exploit Widely Used Packages to Hijack Maintainers’ Credentials

In a dramatic escalation of supply chain threats against the JavaScript ecosystem, attackers have leveraged a typosquatted phishing site to steal npm maintainer tokens and inject malicious code into critical development tools.

The incident, first flagged by maintainers of the eslint-config-prettier repository, involved four unauthorized releases that were published without any corresponding commits or pull requests on GitHub.

These releases contained a Windows-specific payload that attempts to load a rogue DLL via rundll32, raising the stakes for projects that rely on Prettier and ESLint integrations in their continuous integration pipelines.

Malicious Payloads in Prettier-ESLint Integrations

The compromised packages include eslint-config-prettier versions 8.10.1, 9.1.1, 10.1.6, and 10.1.7, as well as eslint-plugin-prettier versions 4.2.2 and 4.2.3. Attackers also targeted the synckit 0.11.9, @pkgr/core 0.2.8, and napi-postinstall 0.3.1 packages.

In each malicious release, the install script was modified to execute a command that downloads and registers node-gyp.dll on Windows systems.

When a developer or CI job runs npm install, the payload triggers rundll32 to load the malicious DLL, potentially granting remote code execution privileges on affected machines.

This approach bypasses code review entirely, as the GitHub repositories for these packages showed no sign of unauthorized changes.

Phishing Campaign via Typosquatted npm Domain

The investigation revealed that the attackers initially harvested npm authentication tokens through a phishing email that directed maintainers to npnjs.com, a convincing clone of the official npmjs.com site.

Once a maintainer entered their credentials, the fraudulent site captured the token, which was then used to publish the compromised package versions.

Threat actors systematically scrape npm’s public metadata, including maintainer emails and registration timestamps, to identify high-value targets and craft personalized phishing lures.

The seamless nature of the npm publish workflow makes it challenging to distinguish a legitimately published release from a malicious one until the new package is installed and examined.

Response and Mitigation

Maintainers of the affected packages responded swiftly, revoking the compromised npm token and rotating to a new one protected by two-factor authentication.

The malicious versions were marked as deprecated in npm’s registry to prevent automated tools such as Dependabot or Renovate from proposing them in pull requests.

Coordinated removals of the tainted releases were arranged with npm support, and maintainers urged the community to roll back to safe versions such as eslint-config-prettier 10.1.5 while clearing caches and reinstalling dependencies.

Experts recommend that all developers audit recent installations for these package versions, enable two-factor authentication (2FA) on npm accounts, and pin exact version numbers in CI configurations to avoid inadvertently upgrading to floating “latest” tags.

As this incident demonstrates, an attacker needs only one successful phishing attempt to compromise an entire ecosystem.

Supply chain security solutions, including real-time dependency scanning and anomaly detection, are now more critical than ever to catch malicious activity before it spreads across thousands of projects.