The npm package "is" was compromised with cross-platform malware and the linting utility packages used with Prettier were infected with Windows-only malware. This occurred due to a phishing attack involving a typosquatted npm site. Version 3.3.1 of the "is" package included a JavaScript malware loader that exfiltrates sensitive data. Maintainers were misled through hijacked accounts, leading to the release of compromised packages. The incident emphasizes vulnerabilities in package management systems and phishing threats targeting maintainers.
The "is" package is used for JavaScript type testing and is downloaded around 2.7 million times a week. Version 3.3.1 includes an obfuscated JavaScript malware loader.
The malware captures data including all environment variables, exfiltrates them via a WebSocket connection, and provides the attacker with an interactive remote shell.
Maintainer Jordan Harband reported the problem last weekend, stating that it was due to another maintainer's account being hijacked.
Socket also found malicious releases of the got-fetch package following another maintainer account compromise.
Collection
[
|
...
]