@pkgjs/core npm phishing stole credentials

On July 18, 2025, attackers added @pkgjs/core to the list of npm packages compromised through the npnjs.com phishing campaign, publishing a malicious version 0.2.8 under JounQin's hijacked publishing token. The package is a small utility library that other JounQin-maintained tools depend on, which extended the blast radius well beyond projects that name it directly.

StepSecurity and Socket identified the release while working through the same cluster that produced the malicious eslint-config-prettier, eslint-plugin-prettier, synckit, and napi-postinstall publishes. The pattern was identical across all of them: a fresh version showed up on npm with no corresponding commit, pull request, or tag in the project's GitHub repository, a sign that the registry credential rather than the source tree had been the entry point.

The payload matched the Scavenger family seen in the sibling packages, a Windows-only loader that ran node-gyp.dll through rundll32 once the package was unpacked on a developer workstation or CI runner. Install-time execution made the package's lack of a user-facing application largely beside the point: the credentials and network access available to the build environment were the target.

JounQin revoked the leaked token, deprecated 0.2.8, and worked with npm support to remove it. Operators who installed during the window were advised to rotate any credential reachable from the affected machine.

Motive

Remote Code Execution

Attribution

Group

Cause

Social Engineering

Transitive

Yes

Actor

Third Party

• eslint-config-prettier package shows signs of compromisestepsecurity.io
• npm phishing campaign leads to Prettier tooling packages compromisesocket.dev