Fake npm Website Used to Push Malware via Stolen Token

A phishing campaign targeting JavaScript developers has led to the compromise of several popular npm packages, including eslint-config-prettier. The breach began with an attacker tricking a maintainer using a fake login page hosted on a lookalike domain, npnjs.com.

Once the attacker got hold of the maintainer’s npm token, they pushed malicious versions of key packages directly through the registry, completely bypassing the GitHub repositories.

According to Socket, a developer-first security platform, which first spotted the scam, four versions of eslint-config-prettier (8.10.1, 9.1.1, 10.1.6, 10.1.7) were found to contain a script that executes on install, targeting Windows machines. The script attempts to launch a node-gyp.dll file using rundll32, which could allow the attacker to execute arbitrary code on affected systems. Security researchers assigned the issue a CVSS score of 7.5 and confirmed a new CVE (CVE-2025-54313) is being tracked.

Socket’s blog post shared with Hackread.com revealed that the attack went undetected for a while since there were no commits or pull requests in the GitHub repo linked to the new versions.

Instead, the attacker relied on their npm credentials to publish directly, avoiding detection until users started noticing suspicious activity. Other affected packages discovered by researchers included the following:

• synckit: 0.11.9
• @pkgr/core: 0.2.8
• napi-postinstall: 0.3.1
• eslint-plugin-prettier: 4.2.2 and 4.2.3

These packages are widely used in front-end and Node.js projects. Because many developers rely on automated tools like Dependabot or Renovate, compromised versions may have been pulled into projects without anyone noticing. Once installed, the payload could provide remote access to Windows machines running affected builds.

The good news is that the maintainer whose token was compromised acted quickly after learning of the breach. The malicious versions were deprecated and removed, credentials were rotated, and npm support was brought in to assist with the cleanup.

Socket has been monitoring the situation and continues to scan for other suspicious activity across the npm registry. Their tools flag any new versions with unexpected install scripts or binary payloads, which could help developers detect issues early before the malicious code spreads.

Nigel Douglas, Head of Developer Relations at Cloudsmith, commented on the wider implications. He pointed out that this is yet another example of how dependency chains can turn into attack vectors. “CI/CD pipelines pull in hundreds of transitive dependencies by default, each with its own maintainers, update cycles, and exposure history,” he said. “Without secure dependency retrieval processes, it only takes one upstream breach to cause chaos in production.”

Douglas also stressed that it’s unreasonable to expect developers to catch every vulnerability on their own. “If a single stolen maintainer token can push malicious code into one of the most widely used linting tools on npm, that should tell us something. You can’t fix this just by focusing on individual packages,” he added.

He called for stronger maintainer practices like scoped tokens and 2FA, along with registry-level safeguards and secure artifact management systems that support things like version immutability and trusted source verification.