The popular NPM package ‘is’ has been compromised in a supply chain attack that injected backdoor malware, giving attackers full access to compromised devices.
This occurred after maintainer accounts were hijacked via phishing, followed by unauthorized owner changes that went unnoticed for several hours, potentially compromising many developers who downloaded the new releases.
The ‘is’ package is a lightweight JavaScript utility library that provides a wide variety of type checking and value validation functions.
The software has over 2.8 million weekly downloads on the NPM package index. It is used extensively as a low-level utility dependency in development tools, testing libraries, build systems, and backend and CLI projects.
On July 19, 2025, the package’s primary maintainer, John Harband, announced that versions 3.3.1 through 5.0.0 contained malware and were removed roughly 6 hours after threat actors submitted them to npm.
This was the result of the same NPM supply chain attack that used the fake domain’ npnjs[.]com’ to snatch maintainer credentials and then publish laced versions of popular packages.
Besides ‘is,’ the following packages were confirmed to be pushing malware, compromised in the same attack:
- eslint-config-prettier (8.10.1, 9.1.1, 10.1.6, 10.1.7)
- eslint-plugin-prettier (4.2.2, 4.2.3)
- synckit (0.11.9)
- @pkgr/core (0.2.8)
- napi-postinstall (0.3.1)
- got-fetch (5.1.11, 5.1.12)
Socket reports that ‘is’ contains a cross-platform JavaScript malware loader that opens a WebSocket-based backdoor, enabling remote code execution.
“Once active, it queries Node’s os module to collect the hostname, operating system, and CPU details, and captures all environment variables from process.env,” explains Socket.
“It then dynamically imports the ws library to exfiltrate this data over a WebSocket connection.”
“Every message received over the socket is treated as executable JavaScript, giving the threat actor an instant, interactive remote shell.”
The researchers also analyzed the payload in ‘eslint’ and the rest of the packages, finding a Windows infostealer called ‘Scavanger’ which targets sensitive information stored in web browsers.
The malware features evasion mechanisms such as indirect syscalls, encrypted command and control (C2) communications, but it may trigger security warnings in Chrome due to flag manipulation.
Based on the attack pattern, the threat actors may have compromised additional maintainer credentials and are preparing to experiment with stealthier payloads on new software packages.
To prevent this, maintainers should reset their passwords and rotate all tokens immediately, and developers should only use known-to-be-safe versions from before July 18, 2025.
Auto-updating should be turned off, while lockfiles can be used to freeze releases on specific dependency versions.
Contain emerging threats in real time – before they impact your business.
Learn how cloud detection and response (CDR) gives security teams the edge they need in this practical, no-nonsense guide.