Recent supply chain attacks have shaken developer trust, exposing a little-discussed threat: phishing targeted at package maintainers.

One such campaign, dubbed “Scavenger”, used a typo-squatted domain (npnjs.com) to impersonate NPM. Through a phishing email, maintainers were convinced to generate long-lived access tokens that bypassed 2FA. With these tokens, attackers published malicious versions of packages - injecting credential-stealing malware and compromising downstream consumers.

The payload targets Chrome, aiming to extract credentials and exfiltrate them to the attacker. With developers often logged into various sensitive systems via their browser, a successful breach could have far-reaching consequences.

Packages known to be affected:

• eslint-config-prettier (8.10.1, 9.1.1, 10.1.6, 10.1.70)
• eslint-plugin-prettier (4.2.2, 4.2.3)
• synckit (0.11.9)
• @pkgr/core (0.2.8)
• napi-postinstall (0.3.1)
• got-fetch (5.1.11, 5.1.12)
• is (3.3.1, 5.0.0)

Immediate actions

• Audit dependencies for affected versions and upgrade urgently.

Medium term actions

• Adopt package scanning tools (Trivy, AquaSec, Snyk etc).
• Re-evaluate package approval workflows - each dependency introduces exposure.

Lesson

Don’t underestimate the human factor. We all receive phishing training but what happens when the phish isn’t aimed at your staff, but a maintainer you rely on? If your systems depend on third-party packages, your exposure includes every person behind those dependencies.