Supply Chain Attack on npm Packages via Maintainer Phishing

Type

Campaign

Actors

❓Unknown

Pub. date

July 20, 2025

Initial access

End-user compromise

Impact

Supply chain attack

Observed techniques

Phishing

Targeted technologies

npm PyPI

References

https://socket.dev/blog/npm-is-package-hijacked-in-expanding-supply-chain-attackhttps://invokere.com/posts/2025/07/scavenger-malware-distributed-via-num2words-pypi-supply-chain-compromise/

Status

Finalized

Last edited

Jul 30, 2025 2:15 PM

A phishing attack targeting a popular npm maintainer led to the compromise of several widely used packages, including eslint-config-prettier, eslint-plugin-prettier, synckit, @pkgr/core, and others. The attacker stole the maintainer’s npm token via a spoofed email and used it to publish malicious versions that deploy Windows malware through a postinstall script. A follow-up investigation revealed additional compromised packages, including is, got-fetch, and even a PyPI package (num2words) distributing the Scavenger malware. Malicious DLLs were executed via rundll32 under a disguised function, evading most antivirus engines.