Popular JavaScript libraries were hijacked this week and turned into malware droppers, in a supply chain attack achieved via targeted phishing and credential theft.

The npm package eslint-config-prettier, downloaded over 30 million times weekly, was compromised after its maintainer fell victim to a phishing attack. Another package eslint-plugin-prettier from the same maintainer was also targeted.

The attacker(s) used stolen credentials to publish multiple unauthorized versions of the packages with malicious code to infect Windows machines.

Maintainer phished, libraries compromised

On July 18th, developers began noticing unusual behavior after installing versions 8.10.1, 9.1.1, 10.1.6, and 10.1.7 of eslint-config-prettier. These versions were published to the npm registry but had no corresponding changes in the GitHub repository that’d corroborate the releases, raising immediate suspicion within the open-source community.

Libraries like eslint-config-prettier and eslint-plugin-prettier make it easier for developers to work with Prettier and ESLint by ensuring that the code formatting rules are consistenly styled across the project without conflicts or rendundant linting.

Developer Dasa Paddock initially raised a GitHub issue in the project’s repository shedding light on the matter and community members quickly chimed in.

Shortly afterward, the package’s maintainer, JounQin, confirmed that he had fallen victim to a phishing attack. This allowed an unauthorized party to gain access to his npm token and publish the compromised versions.

“It’s this phishing email,” wrote JounQin, sharing a screenshot of a convincing “Verify your account” email he had received:

The email has been spoofed to appear to originate from “support@npmjs.com,” but the link in it leads the user to an illicit npnjs[.]com domain.

“I’ve deleted that npm token and will publish a new version ASAP,” stated JounQin.

“Thanks all, and sorry for my negligence,” continued writing the maintainer in the same thread.

Malicious postinstall script runs a Windows DLL

In the malicious versions, an npm postinstall script “install.js” is configured to run as soon as the package is installed.

This “install.js” contains a suspicious function logDiskSpace(), which, contrary to its name isn’t concerned with disk space monitoring. Instead, the function attempts to execute the DLL “node-gyp.dll” bundled within the package, via the rundll32 Windows system process.

At the time of writing, the DLL, a recognized trojan, has a 19/72 detection score on VirusTotal, which means it is still being missed by a majority of antivirus engines.

What should you do?

• Do not install eslint-config-prettier versions 8.10.1, 9.1.1, 10.1.6, and 10.1.7.  For eslint-plugin-prettier, the affected versions are 4.2.2 and 4.2.3.

• Verify your package-lock.json or yarn.lock files for references to these versions.

• If you deployed builds after July 18th, check CI logs and runtime environments for signs of compromise, especially on Windows machines.

• Consider rotating any secrets that may have been exposed during affected build processes.

The maintainer additionally marked the affected versions as “deprecated” on the npmjs registry. Additionally, a GitHub user cautioned that any other packages published by the maintainer also be checked for potential signs of tampering.

The compromise follows a series of similar social engineering attacks that have targeted developers of popular libraries in recent times.

In March, more than ten widely used npm libraries were compromised and turned into info-stealers. Last month, 17 Gluestack packages with over a million weekly downloads were hijacked to deploy a Remote Access Trojan (RAT).

As the open-source ecosystem largely operates on trust, incidents like these, underscore the fragility of supply chain security and the importance of maintainer security. One wrong click is enough to put millions of users at risk.