A major npm package with over 28 million weekly downloads, ‘is,’ was hijacked in a shocking supply chain attack, infecting developers worldwide with backdoor malware. Here’s what happened, who’s at risk, and urgent

Continue reading
In an alarming new wave of cyberattacks, a core npm package named ‘is’—downloaded more than 28 million times every week—was stealthily hijacked and weaponized to infect developer systems across the globe.**
Between July 19 and 21, 2025, attackers took control of the trusted ‘is’ package on the npm registry, injecting a powerful malware backdoor into versions 3.3.1 to 5.0.0. The attack leveraged stolen credentials from the maintainer, harvested through a highly convincing phishing scam that impersonated official npm support.
Security experts warn that this breach could have exposed millions of projects and development environments. The malware secretly collected sensitive system data, then opened a backdoor via WebSocket, allowing remote attackers to push malicious JavaScript code straight into compromised systems—potentially affecting everything from private projects to production infrastructure.
This is just one in a series of related npm attacks. Other top packages—including `eslint-config-prettier`, `eslint-plugin-prettier`, `synckit`, and more—were also compromised, infecting countless developer machines with info-stealing malware and even Windows trojans.
If you or your team downloaded or updated ‘is’ or any of the affected packages after July 18, 2025, your systems could be compromised. This includes both direct installs and indirect dependencies.
This attack proves that even the most trusted, tiny npm packages can become high-impact threats overnight. Experts urge every developer and company to re-examine their supply chain security, implement stricter dependency policies, and stay vigilant for phishing attempts targeting open-source maintainers.

Suspected China and India nexus actors both compromised Balochistan Police systems, planting malware in a public complaint portal used by citizens.