An npm package maintainer, JounQin, was targeted in a phishing attack, resulting in malware being injected into several popular packages like eslint-config-prettier. Attackers used the compromised account to publish malicious versions that contained a postinstall script executing a DLL, which is being flagged as a trojan. Most antivirus programs fail to detect this threat, with only 19 out of 72 engines identifying the DLL as malicious. JounQin responded by deleting the npm token and planning to publish a secure version quickly.
Several popular npm packages with millions of weekly downloads were targeted. The maintainer fell prey to a phishing attack, allowing attackers to inject malware.
When the attackers gained access, they installed versions of the eslint-config-prettier package that included a postinstall script to execute a malicious DLL.
The malicious version of the package tries to execute a DLL via the rundll32 Windows system process, flagged as a trojan by some antivirus programs.
Currently, only 19 out of 72 antivirus engines are detecting this DLL as malicious, raising concerns over security vulnerabilities in the npm ecosystem.
Collection
[
|
...
]