The popular NPM package has been compromised in a supply chain attack, which has injected the back door malware, which gives full access to the equipment compromised to the attackers.
This occurred after kidnapping the keepers through fishing, followed by unauthorized owners, which did not pay any attention for several hours, potentially compromised several developers who downloaded the new release.
The ‘IS’ package is a mild JavaScript utility library that provides a variety of types of testing and value verification function.
The software has more than 2.8 million weekly downloads on the NPM package index. It is used as a large-scale growth devices, testing libraries, build systems and low-level utility dependence in backnd and CLI projects.
On July 19, 2025, the Primary Conservator of the package, John Harband announced that the malware was contained through the version 3.3.1 5.0.0 and was removed after about 6 hours when the danger actors presented him to NPM.
This was the result of the same NPM supply chain attack, using the fake domain ‘NPNJS (.) Com’, which was to snatch the maintainer credentials and then published the laced versions of popular packages.
Apart from this, ‘Hai,’ was confirmed to push the following packages to the malware, an agreement was reached in the same attack:
- Eslint-Config-Prettier (8.10.1, 9.1.1, 10.1.6, 10.1.7)
- Eslint-plugin-perttier (4.2.2, 4.2.3)
- Syncite (0.11.9)
- @PKGR/Core (0.2.8)
- Napi-poststall (0.3.1)
- Got-Fatch (5.1.11, 5.1.12)
The socket reports that ‘Hai’ contains a cross-platform JavaScript malware loader that opens a website-based backdor, which enables remote code execution.
“Once active is active, it queries the OS module of the node to collect the hostam, operating system and CPU details, and captures all the environment variables from the process. The socket explains.
“It then dynamically imports the WS library to exfiltrate this data on a websocket connection.”
“Each message received on the socket is considered as executable JavaScript, which gives the actor an immediate, interactive remote shell.”
Researchers also analyzed the payload in ‘ESLINT’ and the rest of the packages, finding a Windows Infoselor called ‘Skavezer’ that targets sensitive information stored in web browsers.
Malware has indirect syscalls, encrypted commands and stolen system such as communication, but it can trigger security warnings in chrome due to flag manipulation.
Based on the pattern of the attack, the danger actors may have compromised on additional maintenance credentials and are preparing to experiment with stealthier payload on new software packages.
To prevent this, maintenance must reset their password and rotate all tokens immediately, and developers should use only known-to-saf versions before 18 July, 2025.
Auto-updating should be discontinued, while lockfiles can be used to freeze the release on specific dependence versions.
CISOS knows how to purchase a board begins with a clear, strategic approach how the cloud safety runs the business price.
This helps to introduce the risk, impact and priorities to the free, editable board report deck deck security leaders in clear business terms. Convert security updates into meaningful conversations and take fast decision in boardroom.
