got-fetch
got-fetch npm Package Hijacked (Scavenger Malware)
As part of the expanding npm maintainer phishing campaign using the npnjs.com domain, attackers published rogue got-fetch 5.1.11 and 5.1.12 releases. StepSecurity's eslint-config-prettier incident update cited Checkmarx reporting that this package used a different Windows-focused payload than the earlier node-gyp.dll packages: the Pycoon information stealer delivered via crashreporter.dll. The malicious releases were deprecated, and the package was later marked deprecated on npm.
- Date
- 2025-07-18 to 2025-07-22
- Category
- Open Source
- Target Surface
- Package registry
- Insertion Phase
- distribution
- Impact
- Remote access
- Cause
- Compromised Account/Credentials
What Was Affected
Package
got-fetch
LanguageJavaScript
ComponentLibrary
Artifact typesource archive
Domain typepackage host
Domain
npmjs.com
Repository
github.com/sindresorhus/got-fetch
Compromised Versions
Incident Context
- Motive
- Data Exfiltration/Remote Access
- Attribution
- Third Party
- Transitive
- No
- User Impact
- 0
- Observed Duration
- 4 days
External References
Source Data
Source record: oss/got-fetch/meta.yaml