Open Source 2025-07-18 · 4 days ·Remote Access, Credential Theft

'is' npm package shipped Scavenger

Part of the npnjs.com phishing backdoored npm packages campaign

The npnjs.com phishing campaign hijacked maintainer access for the popular is package. Attackers used social engineering to regain npm access and ship Scavenger malware through trusted releases.

Story

On July 19, 2025, attackers used a hijacked maintainer account to publish two malicious versions of is, a tiny type-checking utility that pulls roughly 2.8 million downloads a week and sits deep in the dependency trees of countless Node.js projects. Unlike the Windows-only DLL droppers that had ridden the npm phishing wave the day before, this payload was pure JavaScript and ran anywhere Node.js did.

The compromise extended a campaign that had begun a day earlier with phished credentials for the eslint-config-prettier maintainer. According to Jordan Harband, a longtime steward of dozens of foundational JavaScript packages, the attacker took ownership of is by social-engineering its prior maintainer through npm's account-recovery flow, then emailed Harband asking to be re-added. Malware was published the next morning.

Socket's analysis of is@5.0.0 described a cross-platform loader rather than the Scavenger DLL family. The package decoded an embedded payload using a custom 94-character alphabet, reconstructed it in memory, and ran it through new Function, leaving no readable artifact on disk. The decoded code gathered hostname, operating system, CPU, and environment data, dynamically imported the ws library, and opened a WebSocket back to attacker-controlled infrastructure. Anything the server pushed down that channel was passed straight to a JavaScript evaluator, turning every install into a live remote shell on macOS, Linux, or Windows.

The malicious versions were deprecated and pulled from npm within hours, though detection took longer than the earlier Prettier-tooling publishes because nothing about the install behavior looked Windows-specific. Operators who installed 3.3.1 or 5.0.0 were advised to rotate any credential reachable from the affected host.

Affected Artifacts

is

npm · repository · Source Archive

Observed: 2025-07-18 to 2025-07-22
Compromised Versions: 3.3.1

5.0.0
Fixed: Not listed
Evidence: mirror: github.com/sindresorhus/is

Incident Context

Motive: Data Exfiltration Remote Access
Attribution: Group
Cause: Compromised Account Credentials
Transitive: No
Actor: Third Party
User Impact: 2800000

External References

Supply Chain Security Alert - eslint-config-prettier Package Shows Signs of Compromisestepsecurity.io
Another npm Supply Chain Attack - The is Package Compromisestepsecurity.io
npm is Package Hijacked in Expanding Supply Chain Attacksocket.dev

Source record: oss/attacks/is/meta.yaml