npnjs.com phishing backdoored npm packages

The July 2025 npm phishing campaign began with a letter off by one character. Maintainers were sent to npnjs.com, a lookalike of the npm login flow, and the stolen credentials became publish rights on the real npm registry.

The attacker did not need to break npm itself. With maintainer credentials in hand, they published malicious versions under real package names, so dependency resolvers and lockfile updates saw official registry artifacts. Some packages added install-time scripts and downloader logic; others carried backdoors or credential theft.

The first visible cluster centered on ESLint and Prettier tooling. eslint-config-prettier, eslint-plugin-prettier, synckit, @pkgjs/core, and napi-postinstall all carried the same account-compromise pattern, and later reporting connected additional packages such as is and got-fetch to the same broader phishing infrastructure.

The malware family leaned on JavaScript's install-time execution model. A package did not need to be imported by production code to matter; it only had to run during npm install on a developer workstation or CI runner where browser data, SSH keys, registry tokens, or other credentials were reachable.

This campaign record holds the shared phishing domain, timing, and account-takeover pattern. The package records stay separate because each affected name has its own version list, registry path, maintainer response, and exposure query.

Actor

Third Party

Attribution

Group

Cause

Unknown

• eslint-config-prettier 8.10.1, 9.1.1, 10.1.6, +1
• eslint-plugin-prettier 4.2.2, 4.2.3
• got-fetch 5.1.11, 5.1.12
• is 3.3.1, 5.0.0
• napi-postinstall 0.3.1
• pkgjs-core 0.2.8
• synckit 0.11.9

• npm Maintainer Phishing Campaign Leads to eslint-config-prettier Compromisestepsecurity.io
• npm Scavenger Malware Targets Popular Packagesresearch.checkmarx.com