NPM package ‘is’ with 2.8M weekly downloads infected devs with malware

Kid@sh.itjust.works · 19 days ago

NPM package ‘is’ with 2.8M weekly downloads infected devs with malware

HubertManne@piefed.social · 19 days ago

holy crap:

On July 19, 2025, the package’s primary maintainer, John Harband, announced that versions 3.3.1 through 5.0.0 contained malware and were removed roughly 6 hours after threat actors submitted them to npm.

SayCyberOnceMore@feddit.uk · 19 days ago

So, is that just a ‘developer’ component, or have I got to analyse all my systems now for the NPM components in the article’s list?

freewheel@sh.itjust.works · edit-2 15 days ago

Little late to the party here, and I’m not primarily a js dev, but… yes. It looks like it’s one of those syntactic sugar kind of packages that devs love to use. The bonus here is you can probably use a find-grep kind of process to check package-lock.json for references to the package. (there might be an npm command, but like I say - not a js dev.)

For example:

$ grep \"is\"\: package-lock.json
        "is": "^3.3.0",

NPM package ‘is’ with 2.8M weekly downloads infected devs with malware

NPM package ‘is’ with 2.8M weekly downloads infected devs with malware

Just a moment...