Malware Discovered in Popular JavaScript Package Due to Supply Chain Attack

A significant supply chain attack has compromised the widely used JavaScript package, is, which records approximately 2.7 million downloads per week. The breach occurred following a phishing incident targeting a maintainer of the npm repository.

According to reports, the account of another maintainer was hijacked, leading to the distribution of malicious payloads within versions 3.3.1 and 5.0.0 of the package. These versions were only available for a brief period before being removed from circulation.

In response to the incident, the maintainer, Jordan Harband, has deprecated the affected versions and released version 3.3.2, free from harmful code, as the latest stable update. This precaution aims to prevent automated processes from inadvertently downloading the infected versions.

The is package serves as a testing library, providing functionalities to check if a value is defined, empty, or of a specific type, among other features.

This incident reflects a broader trend of supply chain vulnerabilities, particularly affecting npm maintainers. The same group of attackers has previously targeted several packages, including eslint-config-prettier and got-fetch, embedding malware into them.

Notably, the malware loader introduced in the is package operates across multiple platforms, including Windows, macOS, and Linux. Security experts have detailed the operation of the malicious JavaScript code, which constructs the payload entirely in the memory of the compromised system. The code executes a remote shell by utilizing a WebSocket connection to communicate with the threat actor's server.

To ensure security, developers using the is package are advised to verify that they do not have any of the infected versions installed. The ongoing threat from these attackers suggests that they may continue to target other JavaScript maintainers in the future.