PLAY PODCASTS
Massive NPM Breach: Malicious Packages Spread via Compromised Maintainer Accounts
Episode 185

Massive NPM Breach: Malicious Packages Spread via Compromised Maintainer Accounts

Daily Security Review

July 24, 202541m 44s

Audio is streamed directly from the publisher (media.transistor.fm) as published in their RSS feed. Play Podcasts does not host this file. Rights-holders can request removal through the copyright & takedown page.

Original episode page

Show Notes

In this episode, we expose the alarming supply chain attack that compromised millions of JavaScript projects across the globe. This sophisticated breach targeted the NPM ecosystem, infecting widely-used packages like eslint-config-prettier and is, through a coordinated phishing campaign and the exploitation of non-expiring legacy access tokens.

Attackers began by impersonating the official npm registry with a typosquatted domain (npnjs[.]com), stealing credentials from developers via fake login prompts. Once inside, they bypassed GitHub commit histories and published rogue versions of key packages directly to the registry, effectively weaponizing trusted developer pipelines.

The real payload? Scavenger malware—a stealthy, cross-platform info-stealer designed to harvest sensitive data from Chromium-based browsers. It ran entirely in JavaScript or injected malicious DLLs, evading detection with anti-VM and antivirus checks, and even capable of disabling browser security alerts.

We break down:

  • The timeline and tactics of the attack
  • Why NPM’s legacy access tokens became the attackers’ golden ticket
  • The vulnerabilities in Chromium’s local security model that allowed malware like Scavenger to thrive
  • How human error and overlooked MFA practices amplified the threat
  • Lessons on securing software supply chains and managing third-party risks

With over 180 million weekly downloads potentially affected, this breach wasn’t just a security failure—it was a wake-up call for the entire developer community.

We also explore the assigned CVE-2025-54313, and what this means for NPM and open source governance going forward. You'll hear what security professionals, maintainers, and platforms must do now to prevent another incident of this scale—from granular access token enforcement to phishing-resistant MFA and proactive malware scanning.

This is more than a breach—it’s a blueprint for future attacks if safeguards don’t evolve.

#NPM #ScavengerMalware #SupplyChainAttack #CVE202554313 #JavaScriptSecurity #OpenSourceSecurity #eslint #Prettier #InfoStealer #LegacyTokens #TokenSecurity #Chromium #Typosquatting #SoftwareSupplyChain #Cybersecurity #Phishing #2FA #Nodejs #Malware #DeveloperSecurity #DevSecOps #npmEcosystem #MaliciousPackages #CrossPlatformMalware #CredentialTheft

Topics

NPMScavenger malwaresupply chain attackphishingtyposquattingaccess tokencredential theftlegacy tokensgranular tokenseslint-config-prettieris packageNode.jsJavaScriptCVE-2025-54313Chromium vulnerabilityinfo-stealeropen source securitymalware injectiontoken expirationMFADLL injectioncross-platform malwareCI/CD securitynpm registrymalicious packagesbrowser securityGitHub commitsanti-VMcybersecurity breachDevSecOpsdeveloper toolsnpm ecosystem
← All episodes of Daily Security Review