Engineering

Malicious npm Packages Used in Targeted Phishing Attack: What Security Teams Should Know

A targeted phishing campaign tricked developers into logging into a fake npm site, npnjs[.]com, stealing credentials and pushing malicious versions of popular packages like eslint-config-prettier and eslint-plugin-prettier. These updates bypassed normal GitHub review processes, leading to silent remote code execution (RCE) on Windows endpoints.
Greg Rudman, Rex Guo
July 26, 2025
Home
Blog
Engineering

Malicious npm Packages Used in Targeted Phishing Attack: What Security Teams Should Know

Over 1.3 million packages are available on npm. 95% of modern web applications rely on open-source components like those found on npm. A single compromised npm package like event-stream affected millions of users before it was caught. It was live for months before detection.

Recently, a targeted phishing campaign tricked developers into logging into a fake npm site, npnjs[.]com, stealing credentials and pushing malicious versions of popular packages like eslint-config-prettier and eslint-plugin-prettier. These updates bypassed normal GitHub review processes, leading to silent remote code execution (RCE) on Windows endpoints.

Timeline of Events

  • Mid-July 2025: Attackers deployed phishing infrastructure (npnjs[.]com) mimicking the official npm site.
  • Credential Theft: A maintainer’s npm token was compromised.
  • Malicious Publish: Attacker pushed tainted versions of widely used packages without any corresponding GitHub commits or PRs.

Malicious Packages Identified

  • eslint-config-prettier: 8.10.1, 9.1.1, 10.1.6, 10.1.7
  • eslint-plugin-prettier: 4.2.2, 4.2.3
  • synckit: 0.11.9
  • @pkgr/core: 0.2.8
  • napi-postinstall: 0.3.1

What does this attack look like on an endpoint?

The victim user downloaded a malicious eslint-config-prettier package through npm. This package dropped a DLL (node-gyp.dll) via a hidden postinstall script. Once triggered by rundll32.exe, it connected to suspicious domains like firebase[.]su, granting attackers covert remote access.

Observed Activity (Process Tree)

bash.exe 
→ sh.exe 
→ node.exe 
→ cmd.exe 
→ node.exe install.js 
→ rundll32.exe node-gyp.dll


How can Culminate AI SOC Analyst help?

A medium severity EDR alert is triggered because of the Defense Evasion attack where rundll32.exe executed low-reputation arbitrary code from node-gyp.dll, connecting to suspicious URL firebase[.]su and IP address 104[.]21[.]32[.]127. Culminate performs deeper investigation as follows:

  • Traced the full process chain including script and DLL execution.
  • Flagged abnormal DLL behavior and outbound connections to suspicious, newly registered domains.
  • Surface the dropped files, enabling quick identification of payloads like node-gyp.dll.

Culminate uses real-time domain age checks. The system raised an alert when a process connected to firebase[.]su, a domain less than a year old — a suspicious indicator of C2 or exfiltration activity.

Culminate’s AI SOC Analyst is built to catch advanced threats including supply chain attacks. Culminate AI SOC Analyst discovers full incidents from even medium and low severity alerts which SOC teams typically do not have bandwidth to review. Our AI SOC Analyst uses the techniques described below to detect threats beyond execution.

  • Flags suspicious behaviors such as:
    • DLL execution (e.g., node-gyp.dll via rundll32.exe)
    • Unusual or suspicious process chains
    • Outbound traffic to domains like firebase[.]su
  • Correlates telemetry across:
    • Endpoints
    • User behavior
    • Logs from all security tools like Office 365 and Defender
  • Rapidly investigates and escalates real threats
  • Helps security teams contain the attack before it spreads

Table of contents

Heading 2
Subscribe to our newsletter

Subscribe to receive the latest blog posts to your inbox.

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
Subscribe to our newsletter

Subscribe to receive the latest blog posts to your inbox.

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
Home
Blog
Engineering

Malicious npm Packages Used in Targeted Phishing Attack: What Security Teams Should Know

Over 1.3 million packages are available on npm. 95% of modern web applications rely on open-source components like those found on npm. A single compromised npm package like event-stream affected millions of users before it was caught. It was live for months before detection.

Recently, a targeted phishing campaign tricked developers into logging into a fake npm site, npnjs[.]com, stealing credentials and pushing malicious versions of popular packages like eslint-config-prettier and eslint-plugin-prettier. These updates bypassed normal GitHub review processes, leading to silent remote code execution (RCE) on Windows endpoints.

Timeline of Events

  • Mid-July 2025: Attackers deployed phishing infrastructure (npnjs[.]com) mimicking the official npm site.
  • Credential Theft: A maintainer’s npm token was compromised.
  • Malicious Publish: Attacker pushed tainted versions of widely used packages without any corresponding GitHub commits or PRs.

Malicious Packages Identified

  • eslint-config-prettier: 8.10.1, 9.1.1, 10.1.6, 10.1.7
  • eslint-plugin-prettier: 4.2.2, 4.2.3
  • synckit: 0.11.9
  • @pkgr/core: 0.2.8
  • napi-postinstall: 0.3.1

What does this attack look like on an endpoint?

The victim user downloaded a malicious eslint-config-prettier package through npm. This package dropped a DLL (node-gyp.dll) via a hidden postinstall script. Once triggered by rundll32.exe, it connected to suspicious domains like firebase[.]su, granting attackers covert remote access.

Observed Activity (Process Tree)

bash.exe 
→ sh.exe 
→ node.exe 
→ cmd.exe 
→ node.exe install.js 
→ rundll32.exe node-gyp.dll


How can Culminate AI SOC Analyst help?

A medium severity EDR alert is triggered because of the Defense Evasion attack where rundll32.exe executed low-reputation arbitrary code from node-gyp.dll, connecting to suspicious URL firebase[.]su and IP address 104[.]21[.]32[.]127. Culminate performs deeper investigation as follows:

  • Traced the full process chain including script and DLL execution.
  • Flagged abnormal DLL behavior and outbound connections to suspicious, newly registered domains.
  • Surface the dropped files, enabling quick identification of payloads like node-gyp.dll.

Culminate uses real-time domain age checks. The system raised an alert when a process connected to firebase[.]su, a domain less than a year old — a suspicious indicator of C2 or exfiltration activity.

Culminate’s AI SOC Analyst is built to catch advanced threats including supply chain attacks. Culminate AI SOC Analyst discovers full incidents from even medium and low severity alerts which SOC teams typically do not have bandwidth to review. Our AI SOC Analyst uses the techniques described below to detect threats beyond execution.

  • Flags suspicious behaviors such as:
    • DLL execution (e.g., node-gyp.dll via rundll32.exe)
    • Unusual or suspicious process chains
    • Outbound traffic to domains like firebase[.]su
  • Correlates telemetry across:
    • Endpoints
    • User behavior
    • Logs from all security tools like Office 365 and Defender
  • Rapidly investigates and escalates real threats
  • Helps security teams contain the attack before it spreads

Share this post
Tag one
Tag two
Tag three
Tag four
Greg Rudman, Rex Guo

Recommended articles

Engineering

From 10,000 to 10: How AI Identifies Which Alerts Actually Matter

Security Operations Centers (SOCs) are drowning. Every day, analysts are hit with thousands of alerts—each screaming for attention, most leading nowhere. Between EDR pings, email security events, identity anomalies, and SIEM noise, the reality is simple: no human team can investigate everything. Yet buried somewhere in that mountain of noise are the 10 alerts that actually matter. The 10 that point to lateral movement. Credential abuse. Persistence. Exfiltration. Miss them, and it could mean a breach. That’s where AI changes the game.
Read more
Engineering

The Phish That SOAR Missed: Why Modern Attacks Slip Through

Traditional SOAR (Security Orchestration, Automation, and Response) platforms often miss modern phishing attacks because their reliance on pre-determined playbooks and static rules makes them inflexible against rapidly evolving threats. Attackers exploit this rigidity by increasingly leveraging legitimate services like OneDrive and PowerBI to host malicious links, masking their true intent and bypassing SOAR's signature-based and reputation-focused detections. In contrast, AI SOC Analyst platforms are inherently more adaptable and goal-driven, utilizing advanced machine learning and behavioral analytics to automatically adjust investigation techniques and identify subtle anomalies that don't fit known patterns. By intelligently correlating diverse data and automatically investigating links embedded within the legitimate website's context, Culminate's AI SOC Analyst can effectively handle incomplete or ambiguous information, proactively detecting sophisticated phishing campaigns that intentionally evade conventional defenses.
Read more
Engineering

Scattered Spider: A Cross-Environment Threat Undermining SOC Defenses

Since 2021, the Scattered Spider cybercriminal group has rapidly evolved into a sophisticated ransomware operation that blends social engineering with technical precision. Unlike traditional ransomware campaigns that unfold over days or weeks, Scattered Spider executes a full kill chain—from initial access to data theft and encryption—within hours, overwhelming even mature SOCs.
Read more

Want to see Culminate in action?

When Culminate takes on investigations, your analysts can concentrate on tackling true attacks and strategic work.

Schedule a demo
HomeProductAboutBlogCareersBlogContact
© 2025 Culminate Inc. All rights reserved.
Terms & ConditionsPrivacy Policy