npm Phishing Email Targets Developers with Typosquatted Domain

One of our engineers recently encountered a phishing email that attempted to impersonate npm, the Node.js package registry. The email spoofed the support@npmjs.org address and contained a link to npnjs.com (note the "n" instead of "m"). This domain is a full copy or proxy of the npm website, a sophisticated typosquatting attack aimed at stealing developer credentials.

The phishing email urged the recipient to “log in here” via a link like:
https://npnjs.com/login?token=xxxxxx (token redacted).

Attackers often use tokens to track who clicked the link or to pre-fill victim data on the phishing site. It could also be used to generate a fake “session” to mimic npm’s login flow. The tokenized URL hints at semi-targeted efforts, potentially focusing on active package maintainers with significant reach. In this case, the targeted user is the maintainer of packages totaling 34 million weekly downloads.

Interestingly, the support links within the email pointed to the legitimate npmjs.com, adding credibility to the attack.

The email was flagged as spam and never reached the primary inbox. We have reported this incident to the npm security team.

Technical Findings

The raw email headers and security scans revealed multiple red flags:

• Spam Classification: The email was automatically flagged and routed to the spam folder due to suspicious content and failed security checks.
• IP Address: The email originated from 45.9.148.108 (hosted by Nice IT Customers Network). This IP has been reported 27 times on AbuseIPDB and is flagged by Criminal IP and VirusTotal.
• VPS Hosting: The phishing email was sent via shosting-s0-n1.nicevps.net, a VPS host frequently used for malicious campaigns.
• Authentication Failures: SPF, DKIM, and DMARC checks all failed, confirming the email did not originate from npm's servers.

Why npm Accounts Are Targets#

npm accounts have become high-value targets for attackers. Compromising a single account can enable adversaries to publish malicious packages, potentially infecting millions of downstream projects.

Maintainers should be skeptical of verification requests. npm rarely asks for email verification unless you’ve initiated the action. Protect your account with two-factor authentication, and use scoped tokens instead of passwords for publishing packages.

The phishing email was caught by spam filters, but it shows how sophisticated and convincing some of these supply chain attacks are becoming. If there’s any suspicion of credential theft, rotate npm access tokens immediately. We reported the incident to npm to help prevent similar attacks against developers in the future.

Indicators of Compromise (IoCs):#

Our analysis of the phishing email and infrastructure uncovered the following IOCs:

Domain & URL

• Phishing Domain: npnjs.com
  • Typosquatted version of npmjs.com.
  • Hosts a fully cloned version of npm, including a fake login page at:
    https://npnjs.com/login?token=<redacted>
  • Observed use of unique tokens in the URL for tracking or targeted attacks.

Email Artifacts

• Spoofed From: support@npmjs.org
• Authentication: SPF, DKIM, and DMARC all failed.
• Headers: Contained unusual private-network hops like phl-compute-02.internal [10.202.2.42].
• Spam Detection: The email was flagged as spam due to multiple triggers (e.g., SPF_NONE, RDNS_NONE, and VFY_ACCT_NORDNS).

IP & Hosting

• Sender IP: 45.9.148.108
  • Host: shosting-s0-n1.nicevps.net (Nice IT Customers Network).
  • Abuse Reports: 27 reports on AbuseIPDB.
  • Security Flags: Listed as malicious on VirusTotal and Criminal IP.

Notable Characteristics

• Legitimate Links as Decoys: Some links (e.g., support links) pointed to real npmjs.com resources to enhance credibility.
• Proxy Behavior: Likely proxying real npm content while harvesting login credentials.
• Timing: Email delivered in the evening (Jul 17, 2025, 18:48 EDT) — typical timing for phishing campaigns targeting off-hours responses.