Type
Campaign
Actors
Pub. date
July 20, 2025
Initial access
End-user compromise
Impact
Supply chain attack
Observed techniques
References
Status
Finalized
Last edited
Jul 30, 2025 2:15 PM
A phishing attack targeting a popular npm maintainer led to the compromise of several widely used packages, including eslint-config-prettier
, eslint-plugin-prettier
, synckit
, @pkgr/core
, and others. The attacker stole the maintainer’s npm token via a spoofed email and used it to publish malicious versions that deploy Windows malware through a postinstall script. A follow-up investigation revealed additional compromised packages, including is
, got-fetch
, and even a PyPI package (num2words
) distributing the Scavenger malware. Malicious DLLs were executed via rundll32
under a disguised function, evading most antivirus engines.