Fake npm Website Used to Push Malware via Stolen Token

July 21, 2025 invoker category_news

Security Update News

Update Information

Title Fake npm Website Used to Push Malware via Stolen Token
Update ID HACKREAD:EF0132658BBD336A0DD1E48E744EFC9B
Type hackread
Published 2025-07-21T16:09:03
Last Updated 2025-07-21T16:09:03

Security Impact

Severity NONE

AI Analysis

AI Description A fake npm website was used in a phishing attack to steal a maintainer token, which was then used to distribute malware through popular JavaScript packages like eslint-config-prettier. This attack highlights the risks of social engineering in the software supply chain.
AI Severity High
AI Vendor npm, Inc.
AI Product npm Registry
AI Version Not specified

Update Details

Fake npm website used in phishing attack to steal maintainer token, leading to malware in popular JavaScript packages like eslint-config-prettier.

View Advisory Details

💭 Join the Security Discussion

🔒 Your email address will not be published. Required fields are marked *

⚠️ Please be respectful and constructive in your comments. Security discussions should remain professional.