Hackers have compromised several popular npm packages, such as eslint-config-prettier and eslint-plugin-prettier, by obtaining maintainer credentials through a sophisticated phishing effort.
This is part of a major increase in supply chain risks that target the software development ecosystem.
The breach, which unfolded in the wake of security researchers reporting on a phishing scheme leveraging a typosquatted domain (npnjs.com), has sent shockwaves through the open-source JavaScript community and exposed major vulnerabilities in package distribution workflows.
Malicious Releases of eslint-config-prettier
The incident first came to light after community members noticed four unexpected new versions of eslint-config-prettier had been published to the npm registry without corresponding commits or pull requests in the project’s GitHub repository.
Rapid investigation by maintainers revealed these versions had been injected with malicious code, specifically targeting Windows environments.
The payload attempted to execute a DLL file (node-gyp.dll) using rundll32.exe, creating a potential vector for remote code execution and further compromise of developer machines and CI/CD infrastructure.
Beyond eslint-config-prettier (versions 8.10.1, 9.1.1, 10.1.6, 10.1.7), additional malicious package versions were published, including eslint-plugin-prettier (4.2.2, 4.2.3), synckit (0.11.9), @pkgr/core (0.2.8), and napi-postinstall (0.3.1).
These efforts demonstrate a multi-pronged approach by attackers, maximizing their reach across projects that rely on automated tooling for code linting and formatting.
The root of the compromise traces back to a compromised npm token, obtained when a maintainer unwittingly entered their credentials on the fake npnjs.com site.
With the token in hand, attackers bypassed usual code review workflows and deployed malicious versions directly to the npm registry, evading detection since the GitHub source code remained untouched.
The ease of harvesting maintainer email addresses and metadata from public npm registries further enabled attackers to build highly targeted, convincing phishing operations.
Phishing Campaign Exploits Supply Chain
The implications for both individual developers and organizations are significant. Prettier and ESLint integrations are foundational dependencies for countless projects, and tools like Dependabot and Renovate automatically surface the newest package versions for inclusion in build pipelines.
As a result, projects that ran CI/CD workflows or installed dependencies during the affected window risked inadvertently deploying malware.
In the immediate aftermath, the affected maintainer responded quickly by revoking the compromised npm token, marking rogue package versions as deprecated to prevent further automated installations, and coordinating with npm support to purge the malicious artifacts.
These efforts helped limit the scope of the incident, but the episode nonetheless highlights profound risks in software supply chains and dependency management.
Security experts and organizations such as Socket have warned that this form of multi-stage attack combining credential phishing, package impersonation, and malicious publishing could become more common.
The practicality of scraping email and metadata from npm, and the widespread reliance on automation to retrieve “latest” package versions, leaves an enormous attack surface open to exploitation.
Developers are now urged to scrutinize their lockfiles for the compromised versions, revert to previously safe releases (e.g., eslint-config-prettier 10.1.5 or earlier), and thoroughly audit recent dependency installations.
Additional best practices include deleting node_modules, clearing npm caches, enabling two-factor authentication on npm accounts, and configuring pipelines to pin exact dependency versions rather than rely on floating “latest” tags.
This incident underscores the escalating arms race between threat actors and the security measures employed within the developer ecosystem.
As more incidents come to light, the urgency of comprehensive supply chain security becomes ever clearer, with real-time dependency scanning and rigorous credential hygiene now essential to defend against ecosystem-wide compromise.
Find this Story Interesting! Follow us on Google News, LinkedIn, and X to Get More Instant updates
