Beware of npm Phishing Emails Stealing Developer Credentials

A recent and sophisticated phishing campaign targeting developers has come to light, exposing the growing threat that typosquatting represents within the open-source community.

One engineer reported a convincing phishing email spoofing the official npm support address ([email protected]) and attempting to lure recipients to a deceptive site using a subtle domain switch npnjs.com, designed to closely mimic the legitimate npmjs.com.

The fake domain hosts a cloned copy of the npm website, complete with an authentic-looking login page that is central to its credential theft strategy.

Sophisticated Typosquatting Campaign

The phishing email in question urged recipients to “log in here” via a link embedded with a unique token: https://npnjs.com/login?token=xxxxxx (token redacted for safety).

The inclusion of personalized tokens suggests semi-targeted attacks, potentially focusing on npm package maintainers with substantial user reach.

In one observed case, the target was responsible for packages totaling 34 million weekly downloads, underscoring the risks posed if such credentials are compromised.

Attackers may be using these tokens both to monitor victim engagement and to orchestrate convincing, user-tailored phishing flows that replicate npm’s official login process.

Notably, the phishing email made use of actual support links routed to the legitimate npmjs.com domain, cleverly blending authenticity through valid references with malicious intent via the typosquatted link.

Despite its sophistication, the phishing attempt was automatically flagged as spam by existing filters, due in part to suspicious content patterns and failed authentication checks.

Phishing Infrastructure Uses Cloned Sites

Technical analysis of the email headers revealed several warning signs. The phishing attempt originated from the IP address 45.9.148.108, assigned to the Nice IT Customers Network and commonly associated with malicious campaigns.

This IP has been reported multiple times across several abuse and security tracking platforms, such as AbuseIPDB, VirusTotal, and Criminal IP, for hosting or transmitting malicious content.

The email’s transmission path included a VPS host shosting-s0-n1.nicevps.net often linked to transient, abuse-prone infrastructure.

Further inspection confirmed authentication mechanisms were bypassed: the email failed Domain-based Message Authentication, Reporting & Conformance (DMARC), DomainKeys Identified Mail (DKIM), and Sender Policy Framework (SPF) checks, establishing that it was not sent from npm’s legitimate email servers.

Additional artifacts, such as anonymized private network hops and a variety of spam-related header flags, contributed to its identification as suspicious. The incident underscores why npm accounts remain a primary target for cyber attackers.

Gaining unauthorized access to a high-value maintainer account enables an adversary to publish malicious packages or updates, putting millions of downstream projects at risk.

As supply chain attacks grow in sophistication, so too does their potential impact on the wider development ecosystem.

According to the Report, Security experts urge all maintainers to treat unsolicited verification or login requests with suspicion, regularly rotate authentication tokens, and enable two-factor authentication to minimize risk.

Although this phishing attempt was intercepted before reaching the intended inbox, it serves as a stark reminder of the advanced tactics now employed by attackers.

Developers are advised to remain vigilant, report suspicious incidents, and continually fortify their security postures to guard against these evolving threats.

Indicators of Compromise (IOCs)

Find this Story Interesting! Follow us on Google News, LinkedIn, and X to Get More Instant updates