Redazione RHC : 28 July 2025 11:24
The compromise of a widely used JavaScript library has put millions of projects worldwide at risk. The package in question has been a fundamental, yet unnoticed, component of the Node.js ecosystem for years. It is precisely this lightweight utility for type checking and value validation that has become the latest victim of a supply chain attack, and this time the consequences are particularly devastating.
The incident began with a phishing campaign in which attackers stole developers’ credentials to publish packages on NPM. After gaining access, they silently changed project ownership and released malicious versions of the library, from 3.3.1 to 5.0.0. According to John Harband, the main perpetrator During maintenance, the infected builds remained publicly available for approximately six hours, during which time they could have been downloaded by thousands of developers.
The scale of the distribution is particularly alarming: “is” is used in a wide range of projects, from build systems and CLI tools to test libraries. According to NPM, the package is downloaded more than 2.8 million times a week. Automatic updates and the absence of version locks (lockfiles) significantly increased the chances of infection of final projects, especially in large ecosystems.
Analysis of Socket demonstrated that the malicious code in “is” was a generic JavaScript loader. It initiated a reverse WebSocket connection, collected system data (hostname, operating system type, CPU architecture, and all environment variables), and sent it via a dynamically imported ws library. Every message arriving through the socket was executed as JavaScript code, effectively allowing the attacker to remotely access the device.
At the same time, other hacked packages in the same campaign distributed a Windows-centric malware called Scavanger. This spyware collected passwords saved by browsers and maintained secret communication with the command and control server. Its evasion techniques included the use of indirect system calls and encrypted C2 channels. However, in some cases, Scavanger could trigger warnings from Chrome due to attempts to manipulate its security flags.
The list of affected packages, in addition to “is”, includes: eslint-config-prettier, eslint-plugin-prettier, synckit, @pkgr/core, napi-postinstall, and got-fetch. All received malicious updates between July 18 and 19, 2025, indicating a coordinated attack with a pre-crafted script. The centerpiece of the phishing campaign was the fictitious domain npnjs[.]com, which attackers used to trick legitimate developers into providing login credentials and tokens.
Experts warn that the attack may not be limited to already known cases: the attackers have likely gained access to additional credentials and may soon begin distributing new malicious builds. Developers are strongly advised to immediately reset their passwords and tokens, disable automatic dependency updates, use lock files, and temporarily freeze versions of all libraries released after July 18.
The “is” incident further demonstrates the fragility of the trust model that underpins the entire open source ecosystem. A single undetected package can open a backdoor into thousands of enterprise and consumer systems, and no one will notice until it’s too late.
Redazione