Starting on July 19th, 2025, an npm supply chain security incident has been attacking maintainers of popular open-source npm packages on the npm registry
The TL;DR on the npm malware
- Adversarial attackers have registered the domain npnjs.com (typosquatting a look-alike over the official npmjs.com registry)
- Maintainers were victim for email phishing campaign that hijacked their npm registry credentials
- Impacted packages:
eslint-config-prettier,eslint-plugin-prettier,synckit,@pkgr/core,napi-postinstallandgot-fetch - Maintainers reset their npm token credentials, marked the malware packages as deprecated and the npm registry has now removed the malicious versions
Example advisory from Snyk Vulnerability Database for the malicious got-fetch version:
The eslint-config-prettier package sits at 30,000,000 downloads a week per today and has been steadily growing in adoption, demonstrating the impact of this malware.
About the Prettier plugins npm attack
Publishing packages to the official npmjs.com registry requires an account with a valid e-mail address. When npm packages are published, this information is openly and widely available to anyone to review.
For example, here is the information about my own npq package, demonstrating how easy it is to grab maintainer emails:
The above isn’t news. Attackers can now use this information to scan for potential weaknesses such as:
- Expired email domains so they can buy them and perform a password reset flow to gain access to publishing new versions
- Spear-phishing targets via emails to steal their npm token credentials
The latter is exactly the route attackers went for with this recent attack and have fooled maintainers into going through an email flow that harvested their credentials to the npm registry. Now, attackers have gained those registry credentials and can, on-their-behalf, publish new versions of these packages.
This is exactly the scenario that played out, with eslint-config-prettier as one reference package, found to have been published several infected versions with Windows-based malware.
The maintainer have confirmed this and provided evidence in the ESLint Config Prettier plugin GitHub pag, demonstrating the email they received:
Virtual infection
What happens when malware hits one maintainer? It is not hard for it to spread to other maintainers who are compromised from one popular malicious version having been published.
This is indeed unfolded and the repercussions of the eslint-config-prettier malware, even if haven been published for a short period of time have already impacted other maintainers – those of the npm package is. As such, the npm package is of versions 3.3.1 and 5.0.0 has been flagged with malware. This has since been remediated (as of July 19th, 9:21PM UTC+3) and a new 3.3.2 fixed version published. Resetting that package took 6 hours according to maintainer Jordan Harband.
How to protect yourself from npm supply chain attacks
First, initiate the following incident response steps:
- Ensure you are not using any known malware versions of mentioned packages from this incident, including that they were not installed on your CI systems, your production deployments, nor your developer teams environments.
- If found infected, proceed with steps to rotate secrets, audit your company’s internal and external package registry assets, and follow your internal security team guidelines.
As a proactive security measure, I recommend you follow these security best practices both for maintainers and developers who want to shield themselves from future malware incidents:
- Turn on 2FA for your npm registry account, especially as a maintainer for which the blast radius is significantly high
- Use the open-source CLI npq to perform heuristics before you install npm packages
- Add the
ignore-scripts=trueto your user-scoped.npmrcconfiguration file so thatpostinstallscripts won’t be automatically executed upon installation
This npm supply chain attack highlights the critical need for robust security measures. To deepen your understanding of these threats and learn proactive strategies to protect your projects, explore the Snyk Learn lesson on supply chain attacks.