Popular npm Packages Hacked to Spread Malware

In recent weeks, several open-source developers have fallen victim to phishing attacks, leading to malware being injected into widely used npm packages—some of which receive over 30 million downloads per week.

Toptal Incident: Internal Tools Turned Attack Vectors

On July 20, 2025, cybersecurity firm Socket reported the compromise of 10 npm packages owned by Toptal, a global freelancer platform. In addition to talent services, Toptal maintains internal development tools and design systems—such as Picasso—which are distributed via GitHub and npm.

According to researchers, attackers breached Toptal’s GitHub account and made all 73 private repositories public, exposing internal projects and proprietary code.

The attackers then modified Picasso’s source code on GitHub to include malware and published 10 trojanized packages to npm, masquerading as legitimate updates.

The malware was designed to:

• Steal GitHub authentication tokens
• Wipe infected systems after data exfiltration

To execute these actions, attackers altered the package.json file to include two malicious lifecycle scripts:

• preinstall — for data theft
• postinstall — for host cleanup

Before detection, these packages were downloaded approximately 5,000 times.

Toptal disabled the affected packages on July 23 and replaced them with clean versions. However, the company has not issued an official statement, nor has it alerted users who may have installed the compromised code.

The exact method of initial compromise remains unknown, and investigators are still assessing the connection between the GitHub breach and the npm uploads.

• @toptal/picasso-tailwind (3.1.0)
• @toptal/picasso-charts (59.1.4)
• @toptal/picasso-shared (15.1.0)
• @toptal/picasso-provider (5.1.1)
• @toptal/picasso-select (4.2.2)
• @toptal/picasso-quote (2.1.7)
• @toptal/picasso-forms (73.3.2)
• @xene/core (0.4.1)
• @toptal/picasso-utils (3.2.0)
• @toptal/picasso-typography (4.1.4)

Broader Context: A Week of Supply Chain Breaches

The Toptal attack was just one of three major open-source supply chain breaches reported within a single week.

On July 19, multiple widely used JavaScript libraries were hijacked after maintainers were tricked by phishing emails. One of the most prominent incidents involved the hijacking of eslint-config-prettier, a package downloaded more than 30 million times per week.

The package maintainer, JounQin, fell for a phishing email impersonating [email protected]. The attacker used a typosquatted domain—npnjs[.]com—to harvest login credentials.

Compromised Packages List

Attackers used the stolen credentials to publish malware-infected versions of the following packages:

• eslint-config-prettier (8.10.1, 9.1.1, 10.1.6, 10.1.7)
• eslint-plugin-prettier (4.2.2, 4.2.3)
• synckit (0.11.9)
• @pkgr/core (0.2.8)
• napi-postinstall (0.3.1)
• got-fetch (5.1.11, 5.1.12)

These versions specifically targeted Windows machines using an install.js script that ran immediately upon installation.

Though the script was named innocuously, it contained a function called logDiskSpace() which triggered execution of a bundled node-gyp.dll file via the rundll32 process. This DLL was later identified as the Scavenger stealer malware—flagged by VirusTotal as a trojan.

“The maintainer confirmed their npm token was compromised via a phishing email allegedly sent from npnjs[.]com,” said Socket analysts. “Attackers used the stolen credentials to publish malicious versions without altering GitHub repositories, making detection more difficult.”

Because Prettier and ESLint are dependencies in thousands of projects, experts warn that the malware’s reach could be vast—and removal will be challenging.

Another Breach: The "is" Package Compromise

Shortly after the ESLint breach, developer Jordan Harband confirmed that the popular is package—used for type checking in JavaScript—was also compromised.

Versions 3.3.1 through 5.0.0 were infected and remained available on npm for six hours before being removed. The package has over 2.8 million weekly downloads and is a dependency in:

• Developer tooling
• Test frameworks
• Build systems
• CLI applications
• Backend services

Once again, the attack began with a phishing email sent from npnjs[.]com. The attacker stole credentials and published malicious versions without affecting the GitHub repository.

What the Malware Did

The compromised versions of the is package included a cross-platform malware loader that:

• Opened a WebSocket-based backdoor
• Enabled remote code execution

According to Socket researchers:

“Once activated, the malware queried Node.js’s os module to collect:HostnameOS and CPU architectureAll environment variables

It then imported the ws library to exfiltrate this data and opened a WebSocket connection. Any message received over the socket was interpreted as executable JavaScript, granting the attacker remote shell access.”

Developer Recommendations

If you or your organization uses any of the affected packages:

1. Check for Infections

• Audit project dependencies
• Remove known malicious versions

2. Rotate Compromised Credentials

• Revoke and regenerate npm tokens
• Rotate GitHub tokens, API keys, and OAuth credentials

3. Scan Systems for Indicators of Compromise

• Run full antivirus and endpoint protection scans
• Review access logs and unusual behavior

Lessons from the Attacks

These incidents highlight the growing threat of software supply chain attacks—especially those enabled by phishing and typosquatting.

Maintainers should:

• Enable 2FA on all npm and GitHub accounts
• Regularly monitor repositories for unauthorized activity
• Treat unexpected login or verification emails with caution

The npm ecosystem powers a massive share of modern software development. That also makes it a high-value target. Developers, maintainers, and organizations must remain vigilant—because once trust is broken, recovery is far more difficult.