A sophisticated phishing campaign has emerged targeting Node.js developers through a meticulously crafted attack that impersonates the official npm package registry.
The malicious operation utilizes the typosquatted domain npnjs.com, substituting the letter “m” with “n” to create a nearly identical copy of the legitimate npmjs.com website.
This attack demonstrates an alarming evolution in supply chain targeting, where cybercriminals focus on compromising high-value developer accounts to potentially infect millions of downstream projects.
The phishing email spoofed the trusted support@npmjs.org address and contained tokenized URLs designed to track victims and potentially pre-fill authentication data.
Phishing email (Source – Socket.dev)
The targeted approach suggests attackers are specifically hunting package maintainers with significant reach, as evidenced by one targeted developer maintaining packages with 34 million weekly downloads.
The email’s sophisticated design included legitimate support links to npmjs.com, adding credibility to the deception while directing login attempts to the malicious proxy site.
Socket.dev researchers identified multiple technical indicators that exposed the attack’s infrastructure.
The phishing emails originated from IP address 45.9.148.108, hosted by Nice IT Customers Network through shosting-s0-n1.nicevps.net.
This infrastructure has accumulated 27 abuse reports on AbuseIPDB and earned malicious flags from VirusTotal and Criminal IP security databases.
Technical Infrastructure Analysis
The attack’s technical foundation reveals a carefully orchestrated campaign designed to evade detection while maximizing credential harvesting potential.
Authentication mechanisms including SPF, DKIM, and DMARC all failed validation, confirming the emails did not originate from npm’s legitimate servers.
The phishing domain operates as a full proxy of the npm website, seamlessly replicating the user interface while intercepting login credentials through fake authentication pages accessible at with unique tracking tokens.
Boost detection, reduce alert fatigue, accelerate response; all with an interactive sandbox built for security teams -> Try ANY.RUN Now
The post Developers Beware of npm Phishing Email That Steal Your Login Credentials appeared first on Cyber Security News.
