In a significant software supply chain breach, the widely-used JavaScript utility package ‘is’, which receives over 2.8 million weekly downloads, was compromised and used to distribute malware through the NPM ecosystem.
Background on the Package
The is package is a foundational utility library used for type-checking in JavaScript and Node.js applications. Due to its simplicity and ubiquitous usage, it is a direct or indirect dependency for countless open-source and enterprise-level projects.
Details of the Compromise
The attack occurred on July 19, 2025, when threat actors gained unauthorized access to the NPM account of the package’s original maintainer. According to security analysts, this access was obtained via a sophisticated phishing campaign that imitated legitimate communications from the NPM security team. The phishing site — hosted at npnjs[.]com — tricked the maintainer into entering login credentials, allowing the attackers to seize control of the package.
Once in control, the attackers released malicious versions 3.3.1 and 5.0.0 of the ‘is’ package to the NPM registry. These versions contained an obfuscated payload that downloaded a Windows-based DLL designed to act as a remote access trojan (RAT). The malware granted attackers covert access to infected systems and is believed to be capable of executing remote commands, stealing data, and harvesting credentials.
The malicious versions remained available for download for approximately six hours before being flagged and removed from NPM.
Widespread Impact Across the Ecosystem
Given the popularity and dependency chain of the ‘is’ package, the breach had far-reaching implications. Developers using automated CI/CD pipelines or performing routine updates during the affected window may have inadvertently introduced the malicious code into their systems.
Furthermore, the compromise was not isolated. Security researchers have since linked the attack to a broader campaign targeting other prominent NPM packages, including eslint-plugin-prettier, eslint-config-prettier, and got-fetch.
