Cybersecurity researchers have warned against supply chain attacks targeting common NPM packages via phishing campaigns designed to steal NPM tokens from project maintainers.
Using captured tokens, I published the packages of myary versions directly to the registry without the source code committing or pulling requests in their respective GitHub repositories.
According to Socket, a list of affected packages and their Rogue versions is listed below –
ESLINT-CONFIG-PRETTIER (versions 8.10.1, 9.1.1, 10.1.6, and 10.1.7) Eslint-Plugin-Prettier (versions 4.2.2 and 4.2.3) Synckit (versions 0.11.9) @PKGR/Core (versions 0.2.8) Napi-Postinstall (versions 0.3.1)
“The injected code could attempt to run the DLL on a Windows machine, allowing remote code to be executed,” the software supply chain security company said.
This development comes in the aftermath of a phishing campaign where it turns out to send email messages that are impersonating NPM to trick project maintainers into clicking on the Typosquatted link (“npnjs[.]com, “In contrast to npmjs[.]com”) It has harvested qualifications.
Digital Missive with the subject “Please check your email address” has aroused a legitimate email address associated with NPM (“Support@npmjs[.]org”), click the embedded link to prompt recipients to verify their email address.
A fake landing page where the victim is redirected on a socket-by-socket basis is a clone of a legitimate NPM login page designed to capture login information.
Developers using affected packages are advised to cross-check the installed version and roll back to a secure version. Project maintainers recommend that you turn on two-factor authentication to protect your account, and use a scope token instead of a password to publish your package.
“This incident shows how quickly phishing attacks against maintainers escalate into the entire ecosystem threat,” Socke said.
The findings are consistent with an unrelated campaign filled with NPM with 28 packages that can disable mouse-based interactions on websites with Russian or Belarusian domains. It is also designed to play the Ukrainian national anthem on a loop.
However, the attack only works if the site visitor has a browser language setting set to Russian, and in some cases the same website is visited for the second time, thus only repeat visitors are targeted. This activity marks an expansion of a campaign that was first flagged last month.
“The protest wear highlights that actions taken by developers can be transmitted unnoticedly in nested dependencies and can take days or weeks for them to manifest,” said security researcher Olivia Brown.
Arch Linux removes 3 AUR packages with chaotic lat malware installed
The Arch Linux team also said it had pulled three malicious AUR packages uploaded to the Arch User Repository (AUR) and installed a remote access trojan called Chaos Rat from the Github repository that has hidden functionality and is now being removed.
The affected packages are “Librewolf-Fix-Bin”, “Firefox-Patch-Bin”, and “Zen-Browser-Patched-Bin”. It was published on July 16th, 2025 by a user named “Danikpapas.”
“These packages installed scripts that come from the same GitHub repository, which were identified as remote access trojans (rats),,” the maintainer said. “We strongly recommend installing any of these packages, removing them from the system and taking the necessary measurements to avoid compromise.”
Source link
