got-fetch npm package shipped Scavenger

Attackers pulled got-fetch, a small adapter that lets the popular got HTTP client speak the Fetch API, into the npm phishing wave that swept through several maintainer accounts in mid-July 2025. The poisoned releases, 5.1.11 and 5.1.12, were pushed to npm under the legitimate package name on July 18.

StepSecurity and Socket tied the publish to the same npnjs.com typosquat that had captured credentials from eslint-config-prettier maintainer JounQin earlier the same day, and to a cluster of co-affected packages that included the Prettier tooling, synckit, @pkgr/core, napi-postinstall, and shortly afterward is.

The got-fetch payload tracked the wider Scavenger pattern. On Windows the install path dropped a renamed DLL, in this case shipped as crashreporter.dll rather than the node-gyp.dll filename used in the Prettier packages, and loaded it through rundll32. The result was the same: code execution on the developer workstation or CI runner that resolved the bad version.

The malicious releases were deprecated and removed from npm. Operators who installed during the window were advised to treat any credentials reachable from the affected host, including browser data, SSH keys, and package-manager tokens, as exposed.

Motive

Data Exfiltration Remote Access

Attribution

Group

Cause

Compromised Account Credentials

Transitive

No

Actor

Third Party

• Supply Chain Security Alert - eslint-config-prettier Package Shows Signs of Compromisestepsecurity.io
• npm is Package Hijacked in Expanding Supply Chain Attacksocket.dev