napi-postinstall
napi-postinstall npm phishing compromise
StepSecurity confirmed napi-postinstall 0.3.1 as one of the npm packages affected by the July 2025 npnjs.com maintainer phishing campaign. The attacker used a phished maintainer credential path to publish malicious releases directly to npm without corresponding source repository changes. In the eslint-config-prettier cluster, the malicious package family executed install.js during installation and launched a bundled Windows DLL through rundll32 on Windows systems.
- Date
- 2025-07-18 to 2025-07-19
- Category
- Open Source
- Target Surface
- Package registry
- Insertion Phase
- distribution
- Impact
- Code Execution
- Cause
- Social Engineering
What Was Affected
Package
napi-postinstall
LanguageJavaScript
ComponentLibrary
Artifact typesource archive
Domain typepackage host
Domain
npmjs.com
Repository
npmjs.com/package/napi-postinstall
Compromised Versions
Incident Context
- Motive
- Remote Code Execution
- Attribution
- Third Party
- Transitive
- Yes
- User Impact
- 0
- Observed Duration
- 1 days
Evidence
Compromised Artifacts
Current Artifacts and Analysis
External References
Source Data
Source record: oss/napi-postinstall/meta.yaml