Popular NPM ‘is’ Package Infects 2.8M Weekly Users with Malware
▼ Summary
– The NPM package ‘is’ was compromised in a supply chain attack, injecting malware that gave attackers full access to affected devices.
– Attackers hijacked maintainer accounts via phishing and pushed malicious versions of ‘is’ (versions 3.3.1 to 5.0.0), which remained undetected for hours.
– The ‘is’ package, with 2.8 million weekly downloads, is widely used for type checking and validation in development tools and projects.
– The malware in ‘is’ opens a WebSocket backdoor, collects system data, and allows remote code execution, while other compromised packages deploy an infostealer called ‘Scavanger’.
– Developers should avoid auto-updates, use lockfiles, and stick to pre-July 18, 2025 versions, while maintainers must reset passwords and rotate tokens.
A widely-used NPM package called ‘is’ has been distributing malware to millions of developers after attackers hijacked maintainer accounts in a sophisticated supply chain attack. The compromised versions contain a dangerous backdoor capable of remote code execution, putting countless projects at risk.
Security researchers discovered that versions 3.3.1 through 5.0.0 of the ‘is’ package, a fundamental JavaScript utility for type checking, were infected with malicious code. The package, which sees over 2.8 million weekly downloads, serves as a critical dependency in numerous development tools, testing frameworks, and backend systems. The breach went undetected for several hours before being removed, leaving a significant window for exploitation.
The attack followed a familiar pattern: hackers used a fake domain resembling npmjs.com to steal maintainer credentials through phishing. Once inside, they pushed tainted updates to multiple packages, including ‘is’ and several others like eslint-config-prettier, eslint-plugin-prettier, and synckit. These malicious versions contained a stealthy JavaScript loader that establishes a WebSocket-based backdoor, allowing attackers to execute arbitrary commands on infected systems.
Analysis reveals the malware harvests sensitive system data, including hostnames, OS details, and environment variables, before exfiltrating it via encrypted WebSocket connections. Even more alarming, every message sent through this channel is interpreted as executable JavaScript, effectively granting attackers full remote control over compromised machines. Some affected packages also bundled ‘Scavanger,’ a Windows-focused infostealer designed to extract browser-stored credentials and other confidential data.
Security teams warn that the attackers likely still possess additional stolen credentials and may attempt more covert payloads in future attacks. Developers are urged to immediately roll back to pre-July 18, 2025 versions of affected packages, disable auto-updates, and enforce strict version locking. Maintainers should also reset passwords and revoke all access tokens to prevent further unauthorized changes.
This incident underscores the growing threat of supply chain attacks targeting open-source ecosystems. With attackers increasingly exploiting trusted dependencies, vigilance and proactive security measures are essential to safeguarding development environments.
(Source: Bleeping Computer)
