is
'is' npm Package Hijacked (Scavenger Malware)
Attackers running the npnjs.com npm phishing campaign hijacked an old maintainer account for the popular is package and used social engineering to regain package access: after the compromised old maintainer was removed, the attacker convinced current maintainers that npm had removed the account for missing 2FA, leading the account to be re-added. On July 19, 2025, the attackers published is 3.3.1 and 5.0.0. Reporting on the broader campaign describes the payload family as Scavenger, a cross-platform JavaScript loader that stole browser data, environment variables, and SSH keys and established an interactive remote shell via WebSocket.
- Date
- 2025-07-18 to 2025-07-22
- Category
- Open Source
- Target Surface
- Package registry
- Insertion Phase
- distribution
- Impact
- Remote access
- Cause
- Compromised Account/Credentials
What Was Affected
Package
is
LanguageJavaScript
ComponentLibrary
Artifact typesource archive
Domain typepackage host
Domain
npmjs.com
Repository
github.com/sindresorhus/is
Compromised Versions
Incident Context
- Motive
- Data Exfiltration/Remote Access
- Attribution
- Third Party
- Transitive
- No
- User Impact
- 2800000
- Observed Duration
- 4 days
External References
Source Data
Source record: oss/is/meta.yaml