The favored NPM package deal ‘is’ has been compromised in a provide chain assault that injected backdoor malware, giving attackers full entry to compromised units.
This occurred after maintainer accounts have been hijacked by way of phishing, adopted by unauthorized proprietor adjustments that went unnoticed for a number of hours, probably compromising many builders who downloaded the brand new releases.
The ‘is’ package deal is a light-weight JavaScript utility library that gives all kinds of kind checking and worth validation capabilities.
The software program has over 2.8 million weekly downloads on the NPM package deal index. It’s used extensively as a low-level utility dependency in growth instruments, testing libraries, construct techniques, and backend and CLI tasks.
On July 19, 2025, the package deal’s main maintainer, John Harband, introduced that variations 3.3.1 by 5.0.0 contained malware and have been eliminated roughly 6 hours after risk actors submitted them to npm.
This was the results of the identical NPM provide chain assault that used the faux area’ npnjs[.]com’ to grab maintainer credentials after which publish laced variations of in style packages.
In addition to ‘is,’ the next packages have been confirmed to be pushing malware, compromised in the identical assault:
- eslint-config-prettier (8.10.1, 9.1.1, 10.1.6, 10.1.7)
- eslint-plugin-prettier (4.2.2, 4.2.3)
- synckit (0.11.9)
- @pkgr/core (0.2.8)
- napi-postinstall (0.3.1)
- got-fetch (5.1.11, 5.1.12)
Socket experiences that ‘is’ incorporates a cross-platform JavaScript malware loader that opens a WebSocket-based backdoor, enabling distant code execution.
“As soon as lively, it queries Node’s os module to gather the hostname, working system, and CPU particulars, and captures all atmosphere variables from course of.env,” explains Socket.
“It then dynamically imports the ws library to exfiltrate this information over a WebSocket connection.”
“Each message obtained over the socket is handled as executable JavaScript, giving the risk actor an prompt, interactive distant shell.”
The researchers additionally analyzed the payload in ‘eslint’ and the remainder of the packages, discovering a Home windows infostealer referred to as ‘Scavanger’ which targets delicate data saved in internet browsers.
The malware options evasion mechanisms equivalent to oblique syscalls, encrypted command and management (C2) communications, however it might set off safety warnings in Chrome attributable to flag manipulation.
Based mostly on the assault sample, the risk actors could have compromised further maintainer credentials and are getting ready to experiment with stealthier payloads on new software program packages.
To forestall this, maintainers ought to reset their passwords and rotate all tokens instantly, and builders ought to solely use known-to-be-safe variations from earlier than July 18, 2025.
Auto-updating must be turned off, whereas lockfiles can be utilized to freeze releases on particular dependency variations.
Include rising threats in actual time – earlier than they impression your corporation.
Find out how cloud detection and response (CDR) offers safety groups the sting they want on this sensible, no-nonsense information.
