The World’s Most Boring Library Turned Out to Be the Most Dangerous in Node.js History
Developers were installing “is”, but in reality — they were inviting a hacker into their system.
Developers were installing “is”, but in reality — they were inviting a hacker into their system.
A compromise of a widely used JavaScript library has put millions of projects at risk globally. We're talking about the “is” package — a seemingly insignificant but critically important component of the Node.js ecosystem. This lightweight utility, designed for type checking and value validation, became the latest victim of a supply chain attack, and this time the consequences were particularly devastating.
The incident began with a phishing campaign during which attackers stole credentials from developers with publishing access to NPM packages. Once inside, they quietly transferred project ownership and released malicious versions of the library — from 3.3.1 to 5.0.0. According to John Harband, the project's lead maintainer, the infected builds remained publicly available for about six hours — enough time to be downloaded by thousands of developers.
The scale of the spread is especially concerning: “is” is a dependency in countless projects — from build systems and CLI tools to testing libraries. According to NPM stats, the package sees over 2.8 million downloads per week. Automatic updates and the absence of locked versions (lockfiles) significantly increased the risk of infection, particularly in large ecosystems.
An analysis by Socket revealed that the malicious code in “is” acted as a universal JavaScript loader. It established a reverse WebSocket connection, collected system data — including hostname, OS type, CPU architecture, and all environment variables — and transmitted them via the dynamically imported ws library. Every message received through the socket was executed as JavaScript code, effectively granting attackers interactive remote access to the host system.
Meanwhile, other packages compromised in the same campaign distributed a Windows-oriented malware named Scavenger. This spyware collected saved browser passwords and maintained stealthy communication with a command-and-control (C2) server. Its evasion techniques included indirect system calls and encrypted C2 channels. However, in some cases, Scavenger triggered Chrome alerts due to its attempts to manipulate browser security flags.
In addition to “is”, the list of compromised packages includes: eslint-config-prettier, eslint-plugin-prettier, synckit, @pkgr/core, napi-postinstall, and got-fetch. All were infected with malicious updates between July 18 and 19, 2025, pointing to a coordinated attack with a pre-planned strategy. A central part of the phishing campaign involved a fake domain, npnjs[.]com, which was used to steal credentials and tokens from legitimate developers.
Experts warn that the attack may not be over: the attackers likely obtained access to other developer accounts and may soon start distributing additional malicious packages. Developers are strongly urged to immediately reset passwords and tokens, disable automatic dependency updates, use lockfiles, and temporarily freeze all library versions released after July 18.
The “is” incident serves as yet another reminder of the fragility of the trust-based model on which the entire open-source ecosystem is built. One seemingly innocent package can open a backdoor into thousands of corporate and user systems — and no one may notice until it’s far too late.
