synckit npm phishing shipped malware

On July 18, 2025, attackers used a phished npm token to push a malicious synckit@0.11.9, a synchronous wrapper around Node.js worker threads that is widely embedded as a transitive dependency in JavaScript tooling. The release landed on npm without a corresponding commit, pull request, or tag in the project's GitHub repository.

StepSecurity and Socket connected the publish to the same npnjs.com typosquat that had captured publishing credentials from maintainer JounQin earlier the same day. The same stolen token shipped malicious versions of eslint-config-prettier, eslint-plugin-prettier, @pkgjs/core, and napi-postinstall in the same window.

The payload tracked the rest of the cluster: a Windows-only loader that ran node-gyp.dll through rundll32 on install, dropping the Scavenger infostealer onto any developer workstation or CI runner that resolved the bad version. Because synckit is rarely installed directly, most affected hosts pulled it in as a deep transitive dependency of other tools.

JounQin revoked the leaked token, deprecated 0.11.9, and coordinated with npm support to remove it. Operators who installed during the window were advised to treat browser data, SSH keys, and registry tokens reachable from the affected machine as compromised.

Motive

Remote Code Execution

Attribution

Group

Cause

Social Engineering

Transitive

Yes

Actor

Third Party

• eslint-config-prettier package shows signs of compromisestepsecurity.io
• npm phishing campaign leads to Prettier tooling packages compromisesocket.dev