Cybersecurity researchers have revealed a supply chain attack on popular npm packages, employing a phishing campaign aimed at stealing maintainers' npm tokens. Malicious actors used these tokens to publish unauthorized versions of packages without any code submissions on GitHub. Affected packages include eslint-config-prettier and eslint-plugin-prettier, among others. The attack's method involved typosquatted links designed to mimic npm's legitimate communications, capturing users' credentials. Developers are urged to check package versions and implement security measures like two-factor authentication and scoped tokens for safety.
The captured tokens were then used to publish malicious versions of the packages directly to the registry without any source code commits or pull requests on their respective GitHub repositories.
The injected code attempted to execute a DLL on Windows machines, potentially allowing remote code execution.
The bogus landing page to which the victims are redirected is a clone of the legitimate npm login page that's designed to capture their login information.
This incident shows how quickly phishing attacks on maintainers can escalate into ecosystem-wide threats.
Collection
[
|
...
]