The Register: Not pretty, not Windows-only: npm phishing attack laces popular packages with malware

Jul 24, 2025

—

Source URL: https://www.theregister.com/2025/07/24/not_pretty_not_windowsonly_npm/
Source: The Register
Title: Not pretty, not Windows-only: npm phishing attack laces popular packages with malware

Feedly Summary: The “is" package was infected with cross-platform malware after a scam targeting maintainers
The popular npm package "is" was infected with cross-platform malware, around the same time that linting utility packages used with the prettier code formatter were infected with Windows-only malware.…

AI Summary and Description: Yes

Summary: The text highlights a recent security incident involving the npm package “is,” which was infected with cross-platform malware. This incident underscores the vulnerabilities associated with package management in software development, particularly concerning third-party dependencies.

Detailed Description: The text discusses a significant security breach involving the “is” package, which is widely used in JavaScript applications. The incident serves as a cautionary example of the exposure risks that arise when relying on open-source software packages.

– **Key Points:**
– The “is” package experienced an infection with cross-platform malware.
– The timing of this incident coincided with the infection of linting utility packages that are associated with the Prettier code formatter, specifically targeting Windows systems.
– This situation raises concerns about the security practices within package management systems and the implications of using third-party packages.

The significance of this incident lies in the following aspects for security and compliance professionals:

1. **Vulnerability Awareness**: Professionals should remain vigilant regarding the security of dependencies in their software, particularly those sourced from public repositories.
2. **Dependency Management Strategy**: Implementing robust dependency management strategies, such as regular audits and updates, is crucial to mitigate the risks associated with malware infections.
3. **Awareness of Attack Vectors**: Understanding the different types of malware (cross-platform vs. OS-specific) can help in preparing better defenses.
4. **Open-Source Risks**: This incident reflects broader risks involved in utilizing open-source libraries, highlighting the importance of scrutinizing the maintainers and the history of packages adopted for use.

Overall, this incident serves as a reminder of the ongoing threats in software security and the need for stringent controls and vigilance in managing software dependencies.

1 2 2025 24 3 4 5 7 a Act after AGI AI and app Application applications art as at ated attack attack vector attack vectors audit Audits aware awareness Bi breach C caution CERN CI CIA co code compliance compliance professionals concerns control controls core cross cross-platform D de defense defenses dependencies dependency dependency management development e end exp experience following for g Gen GIS Go H high Highlight HR http HTTPS implications in incident io J Java JavaScript k Key l Lance led Li libraries Linting low M maintainers malware man management management strategies Management System management systems matt N NGO no npm o of on only open open-source open-source libraries open-source software OPM opt ory oS out over package management party party dependencies per phi phishing phishing attack platform point practices pre pro professionals ps public public repositories Q R Raise rate RCE re Risk risks Ro s sam scam sec security security and compliance security breach security incident security practices Sig SoC software software dependencies software development software security source source risks source software specific SSE SSO strategies Strategy system systems T ted text the third third-party threat threats Time to Tor TP type under up update updates US use V vectors vigilance vulnerabilities vulnerability vulnerability awareness Ware Wi Wind Windows Windows system Windows systems x z