






















The ongoing npm supply chain attacks have claimed another victim. The popular 'is' package, a fundamental type-checking utility in the JavaScript ecosystem, was compromised after attackers successfully phished and hijacked an old maintainer's account. This incident represents an escalation in the phishing campaign that previously compromised eslint-config-prettier and several other widely-used packages.
On July 19, 2025, malicious versions of the 'is' package were published to npm, including versions 3.3.1 and 5.0.0. This attack was part of the ongoing phishing campaign targeting npm maintainers. However, the attack vector was particularly cunning: the threat actors first compromised an old maintainer of the package through phishing, then manipulated npm's ownership system to gain control.
Jordan Harband, a prominent JavaScript maintainer who oversees hundreds of npm packages, revealed how he was inadvertently drawn into the attack.
The details of how this compromise occurred are particularly concerning. Jordan Harband shared his experience on Bluesky:

The attack unfolded through a sophisticated deception:
As the maintainer noted in follow-up posts, the malicious code went unnoticed for six hours - longer than usual. The attackers managed to publish both version 3.3.1 and later version 5.0.0, likely using a pre-existing session.

This multi-stage attack expertly exploited the trust between maintainers and the lack of proper notifications in npm's ownership system.
This incident highlights a critical vulnerability in open source maintenance: the human element. The attackers didn't need to compromise technical systems or find zero-day vulnerabilities. Instead, they:
The sophisticated nature of this attack demonstrates:
If you have the 'is' package in your dependencies:
npm ls is to check your installed versionnpm cache clean --forceThe following steps are applicable only for StepSecurity enterprise customers. If you are not an existing enterprise customer, you can start our 14 day free trial by installing the StepSecurity GitHub App to complete the following recovery step.
We have added a new control specifically to detect pull requests that upgraded to these compromised packages. You can find the new control on the StepSecurity dashboard.
StepSecurity Artifact Monitor provides real-time detection of unauthorized package releases by continuously monitoring your artifacts across package registries. This tool would have flagged the eslint-config-prettier incident by detecting that version 9.1.1 was published outside of the project's authorized CI/CD pipeline. The monitor tracks release patterns, verifies provenance, and alerts teams when packages are published through unusual channels or from unexpected locations. By implementing Artifact Monitor, organizations can catch supply chain compromises within minutes rather than hours or days, significantly reducing the window of exposure to malicious packages.

Learn more about implementing Artifact Monitor in your security workflow at StepSecurity Artifact Monitor
StepSecurity Harden-Runner adds runtime security monitoring to your GitHub Actions workflows, providing visibility into network calls, file system changes, and process executions during CI/CD runs. In cases like the eslint-config-prettier compromise, Harden-Runner would detect and alert on suspicious behavior such as unexpected network connections to malicious domains or unauthorized file modifications during the build process. The tool creates an audit trail of all activities within your workflows, enabling rapid forensic analysis when investigating potential security incidents. By hardening your CI/CD pipelines with runtime monitoring, you can prevent compromised dependencies from executing malicious code in your build environment. The following screenshot shows how Harden-Runner detected the tj-actions supply chain incident.

Implement Harden-Runner in your workflows by following this guide
The 'is' package is not just another npm module - it's a fundamental utility used across the JavaScript ecosystem. Its compromise potentially affects thousands of projects and millions of installations. The attack demonstrates how targeting foundational packages can create massive blast radius effects in modern software supply chains.
As these attacks continue to evolve, the JavaScript community must adapt its security practices. The attackers are exploiting the trust-based relationships that make open source collaboration possible.
The npm ecosystem needs:
Until these systemic improvements are implemented, every developer and organization using npm packages must remain vigilant and implement defense-in-depth strategies to protect their software supply chains.
For ongoing updates about this and related supply chain security incidents, follow our blog.
此内容由惯性聚合(RSS阅读器)自动聚合整理,仅供阅读参考。 原文来自 — 版权归原作者所有。