Popular JavaScript libraries were hijacked this week and turned into malware droppers, in a supply chain attack achieved via targeted phishing and credential theft.
The npm package eslint-config-prettier, downloaded over 30 million times weekly, was compromised after its maintainer fell victim to a phishing attack. Other packages, namely eslint-plugin-prettier, synckit, @pkgr/core, and napi-postinstall from the same maintainer, were also targeted.
The attacker(s) used stolen credentials to publish multiple unauthorized versions of the packages with malicious code to infect Windows machines.
Maintainer phished, libraries compromised
On July 18th, developers began noticing unusual behavior after installing versions 8.10.1, 9.1.1, 10.1.6, and 10.1.7 of eslint-config-prettier. These versions were published to the npm registry but had no corresponding changes in the GitHub repository that'd corroborate the releases, raising immediate suspicion within the open-source community.
Libraries like eslint-config-prettier and eslint-plugin-prettier make it easier for developers to work with Prettier and ESLint by ensuring that the code formatting rules are consistenly styled across the project without conflicts or rendundant linting.
Developer Dasa Paddock initially raised a GitHub issue in the project's repository shedding light on the matter and community members quickly chimed in.
Shortly afterward, the package's maintainer, JounQin, confirmed that he had fallen victim to a phishing attack. This allowed an unauthorized party to gain access to his npm token and publish the compromised versions.
"It's this phishing email," wrote JounQin, sharing a screenshot of a convincing "Verify your account" email he had received:
Phishing email received by npm library's maintainer (JounQin)
... continue reading