Npm Popular Package Corrupted by Phishing Scam

In a significant cybersecurity incident, the popular npm package "eslint-config-prettier" was compromised on July 18. The potential impact was substantial, given the package's 36 million weekly downloads.

The tampered files contained a script designed to drop the Scavenger remote access Trojan (RAT) on Windows systems. This compromise occurred after the maintainer fell victim to a phishing campaign, which targeted npm maintainers through emails spoofing the official support address.

More than 14,000 projects declare eslint-config-prettier as a direct dependency, creating an avenue for downstream compromises. Organizations that used automated updates, particularly those relying on tools like Renovate and Dependabot, were hit harder. Over 14,000 packages, including some managed by well-known companies, received infected versions due to these automated update processes.

Several repositories, including one managed by the European e-bike company Dott, were found to have automatically pulled in malicious versions. Even a Microsoft-owned repository was affected, according to ReversingLabs, which detected 46 projects that installed the compromised version during the attack window.

The attack was reported by ReversingLabs' automated detection system and the Socket research team on the same day. The compromised versions were available for less than two hours before they were removed.

Dependency hygiene is crucial in modern software development to mitigate the risks of supply chain attacks. Configuring build workflows to prevent unnecessary installations in production and separating dependencies from devDependencies can help prevent such incidents.

Automated tools like GitHub's Dependabot can open and merge pull requests to update dependencies without human review. However, avoiding the merging of automated pull requests without manual review is advised to prevent the installation of malicious versions.

Cautious automation is emphasized as a key safeguard against such attacks. Delaying non-critical updates can also help prevent the installation of malicious versions. Organizations using self-hosted runners may have faced greater risks due to the npm package compromise.

Victims were lured to a fake npm site with tokenized URLs. The attack serves as a reminder of the importance of maintaining vigilance and security practices in the digital world.