More popular npm packages hijacked to spread malware

  • A npm package maintainer has fallen victim to a phishing attack
  • The attackers accessed packages and updated them to carry malware
  • Most antivirus programs are still not properly flagging the malicious DLL

Several popular npm packages with millions of weekly downloads were targeted, and one used as a launchpad for malware deployment, when its maintainer fell prey to a phishing attack.

JounQin is a software developer that maintains eslint-config-prettier, eslint-plugin-prettier, synckit, @pkgr/core, and napi-postinstall.

These packages help integrate and streamline code formatting with Prettier and ESLint, manage async-to-sync tasks in Node.js, handle native binary installs, and support core utilities for bundling workflows.

Publishing a clean version

Prettier is a code formatting tool that enforces consistent style by automatically reformatting source code. ESLint, on the other hand, is a static code analysis tool that scans JavaScript and TypeScript code for bugs, style issues, and potential security flaws without running the code.

They recently received an email that spoofed the support@npmjs.com account, and which asked them to “verify” their account. They did so, and thus gave the attackers their login credentials. When the attackers gained access, they used it to install versions 8.10.1, 9.1.1, 10.1.6, and 10.1.7 of the eslint-config-prettier package. The community quickly spotted something was amiss, and notified the developer.

It was determined the malicious version runs a postinstall script as soon as it is installed. This script tries to execute a DLL via the rundll32 Windows system process which is now being flagged as a trojan.

The majority of antivirus programs are still not flagging this .DLL as malware. So far, just 19 out of 72 engines are detecting this DLL as malicious.

“I’ve deleted that npm token and will publish a new version ASAP,” JounQin said after realizing they were compromised. “Thanks all, and sorry for my negligence.”

Here is a list of the malicious packages which should be avoided:

eslint-config-prettier versions 8.10.1, 9.1.1, 10.1.6, and 10.1.7.

eslint-plugin-prettier versions 4.2.2 and 4.2.3.

synckit version 0.11.9

@pkgr/core version 0.2.8

napi-postinstall version 0.3.1

Via BleepingComputer

You might also like

Related Articles

Sem imagem AI and automation are here to settle ROI questions of analytics
Sem imagem Elma
Sem imagem Auralix
Sem imagem Nearly 2 million people watched this spellbinding video of a mini PC being built from a slab of aluminium to a complete computer

Request data export

Use this form to request a copy of your data on this website.

Request data removal

Use this form to request removal of your data from this website.

Request data rectification

Use this form to request the rectification of your data on this website. Here you can correct or update your data, for example.

Request unsubscribe

Use this form to request to unsubscribe your email from our email lists.