We discovered and reported new malware in the NPM package got-fetch (versions 5.1.11 and 5.1.12), which appears connected to a recently-uncovered phishing campaign targeting NPM developers. The malicious versions have been removed by the maintainer with the assistance of NPM, but may have been deployed, and can continue be cached in organization internal package repositories. The got-fetch package has over 50,000 downloads per week, and was created to wrap fetch-compatible promises around the got HTTP requests library. It is now deprecated in favor of Node.js’ built-in fetch system, but is still in use within a large number of projects.
- Malware infected got-fetch versions 5.1.12 and 5.1.11 — these versions have now been marked unsafe in NPM by the maintainer
- The maintainer was compromised by a now-public phishing campaign targeting NPM package maintainers
- The malware appears to be an information-stealer known, among other names, as Pycoon; it targets Windows by deploying a malicious DLL file.
- The maintainer requested that NPM mark the entire got-fetch package as deprecated, and NPM has done so
- To repair:
- Migrate from got-fetch to Node.js built in fetch functionality, OR upgrade got-fetch to at least 6.0.0 or downgrade got-fetch to 5.1.10 (NOTE: there may be other issues or vulnerabilities associated with these versions; assess accordingly)Identify and remove any deployed applications or containers that contain the compromised got-fetch versionsIdentify any cached copies of the compromised got-fetch versions from internal package managers or manager caches, code repos which may “vendor in” the dependencies, etc.
- Ensure your endpoint detection software is aware of and can effectively quarantine the included malware: a crashreporter.dll file whose hash matches the “Pycoon” information stealer; it appears to target Windows systems
- This same phishing campaign compromised additional NPM packages with other kinds of malware. Affected packages as of this writing:
- eslint-config-prettier: 8.10.1, 9.1.1, 10.1.6, 10.1.7
- eslint-plugin-prettier: 4.2.2, 4.2.3
- synckit: 0.11.9
- @pkgr/core: 0.2.8
- napi-postinstall: 0.3.1
Responding to Malicious got-fetch Versions
Application Security (AppSec) teams should coordinate with developer and operations teams to identify vulnerable applications. Your SCA (Software Composition Analysis) tool and/or associated Software Bills of Materials (SBOMs) should be able to identify applications which reference got-fetch@5.1.11 or got-fetch@5.1.12 from your first-party applications. Leverage container scanning tools to identify deployable containers which may be impacted, and reach out to vendors of commercial applications and SaaS solutions that use Node.js to determine if they are impacted.
Zero Research Updates. Subscribe today!
You can additionally examine manifests (like package.json) and lockfiles (such as package-lock.json) manually where tools are not available to you, by examining these files found within your source code repositories. Entries such as this in package.json:
"got-fetch": "5.1.12",Or the following in package-lock.json:
"got-fetch": {
"version": "5.1.11",Are indicators that you may be impacted. Be aware that in package.json, approximate version matches are possible; version strings like “~5.1.0” or “^5.1.10” can be interpreted to install the malicious package versions. If an application was built / deployed with a matching specification, it may be impacted in production.
Once identified, repair the impacted applications
- Migrate from got-fetch to Node.js built in fetch functionality, where possible. This is the preferred course of action, but may require significant developer resources depending on how got-fetch is being used
- upgrade got-fetch to at least 6.0.0 or downgrade got-fetch to 5.1.10 (NOTE: there may be other issues or vulnerabilities associated with these versions; assess accordingly) where migrating to native fetch is not feasible.
- Remove any deployed applications or containers that contain the compromised got-fetch versions; as long as these remain in production, they pose risk to your organization. Perform an impact assessment to determine if the malware leaked information or otherwise created a breach that requires further response from your organization
- Identify any cached copies of the compromised got-fetch versions from internal package managers or manager caches, code repos which may “vendor in” the dependencies, etc.. If you use systems like Artifactory to cache NPM packages—an excellent pattern to follow—the malicious versions of got-fetch may still be installable from those servers. Remove them and ensure that they are blocked from being re-added.
- Ensure your endpoint detection software is aware of and can effectively quarantine the included malware: a crashreporter.dll file whose hash matches the “Pycoon” information stealer; it appears to target Windows systems
How We Found Malware In got-fetch
Checkmarx Zero monitors NPM continuously, looking for potential malicious and vulnerable content. Our scanners alerted us to the potential malware in got-fetch, and our team performed expert analysis to confirm and expand the finding.
We identified the Pycoon malware based on the presence of a version of crashreporter.dll known to be malicious, and verified the existence of malicious activity in a sandboxed laboratory environment.
We reached out to the maintainer (@alexghr on GitHub) immediately and discussed our findings via LinkedIn. We want to thank Alex for responding quickly and effectively — confirming our finding, rotating their credentials, investigating the root cause, and taking action to remove the affected versions from NPM. Alex was able to identify a new access token created with the compromised credentials and took action to revoke all existing access.
The maintainer confirmed that received and interacted with a phishing email referencing the known-malicious lookalike domain npnjs[.]com associated with a recent campaign. The overall format and attack pattern matches the campaign that also affected the eslint-config-prettier package maintainer. We verified that this domain still appears active and is behind Cloudflare.
![Screenshot of recent history of IP addresses for npnjs[.]com, a phishing-associated domain](https://checkmarx.com/wp-content/uploads/2025/07/fig2_got-fetch_npnjs-com_domain_history.webp)
The associated phishing campaign appears to be ongoing, with other NPM maintainers posting on social media about receiving similar emails, and advising caution
Lessons For Security Teams
This malware campaign is a reminder of the importance of having a strategy for rapid response and active defense against malicious packages in your supply chain. It’s also a reminder that modern phishing campaigns are sophisticated, and that even attentive and highly-aware individuals can be tired or in a hurry or otherwise get tricked — it only takes a few package maintainers to make a mistake for a supply-chain phishing campaign to gain return on the adversary’s investment.
The software industry relies heavily on security research to identify and report malicious packages, and on often-unpaid open-source developers to respond quickly and effectively to those reports. We are all fortunate that the maintainers whose accounts were compromised were transparent and responsive: this helps keep everyone safe and limits the impact of a successful supply-chain attack.
Malware campaigns that compromise legitimate software packages are also a reminder for AppSec professionals and leaders that AppSec can’t afford to operate in a silo. Relationships with development teams are essential for facilitating rapid response and remediation. And relationships with operations and other security teams are key to ensuring that there is defense in depth that can limit the damage from supply-chain attacks. Proper endpoint and network security controls can significantly limit the damage caused by known malware tools like the information stealer inserted into got-fetch, and those with behavioral components can even limit damage from unknown malware.
Zero Research Updates. Subscribe today!