napi-postinstall joined npm phishing wave

On July 18, 2025, attackers used a phished npm token to publish a malicious napi-postinstall@0.3.1, a small helper that other native Node.js add-ons rely on to run setup steps after npm install. The package's whole purpose is to execute code at install time, which made it an unusually convenient carrier for a registry-side compromise.

StepSecurity and Socket flagged the release while tracing the broader npnjs.com phishing wave that captured publishing credentials from JounQin, the maintainer of eslint-config-prettier and a long roster of related tooling. The same stolen credential was used the same day to ship malicious versions of eslint-config-prettier, eslint-plugin-prettier, synckit, and @pkgr/core. As with the others, the registry artifact had no matching commit, pull request, or tag on the project's GitHub repository.

Because napi-postinstall is pulled in as a transitive dependency of packages that build native modules, a developer or CI job updating an unrelated tool could end up resolving the bad version without naming it directly. The payload mirrored the rest of the cluster: a Windows-only loader that ran node-gyp.dll through rundll32 to drop the Scavenger infostealer.

The release was deprecated and removed from npm after JounQin revoked the leaked token. Operators who installed during the window were advised to rotate any credential reachable from the affected machine.

Motive

Remote Code Execution

Attribution

Group

Cause

Social Engineering

Transitive

Yes

Actor

Third Party

• Supply Chain Security Alert - eslint-config-prettier Package Shows Signs of Compromisestepsecurity.io
• npm phishing campaign leads to prettier tooling packages compromisesocket.dev