Type
Campaign
Actors
Unknown
Pub. date
July 20, 2025
Initial access
End-user compromise
Impact
Supply chain attack
Observed techniques
Phishing
Targeted technologies
npmPyPI
References
https://socket.dev/blog/npm-is-package-hijacked-in-expanding-supply-chain-attackhttps://invokere.com/posts/2025/07/scavenger-malware-distributed-via-num2words-pypi-supply-chain-compromise/https://github.com/advisories/GHSA-f29h-pxvx-f335https://blog.pypi.org/posts/2025-07-31-incident-report-phishing-attack/
Status
Finalized
Last edited
Oct 8, 2025 12:49 PM
A phishing attack targeting a popular npm maintainer led to the compromise of several widely used packages, including eslint-config-prettier, eslint-plugin-prettier, synckit, @pkgr/core, and others. The attacker stole the maintainer’s npm token via a spoofed email and used it to publish malicious versions that deploy Windows malware through a postinstall script. A follow-up investigation revealed additional compromised packages, including is, got-fetch, and even a PyPI package (num2words) distributing the Scavenger malware. Malicious DLLs were executed via rundll32 under a disguised function, evading most antivirus engines.