Open Source 2025-07-18 · 1 day ·Code Execution

eslint-config-prettier phishing shipped malware

Part of the npnjs.com phishing backdoored npm packages campaign

A phishing campaign targeting npm maintainers through the typosquatted npnjs.com domain compromised eslint-config-prettier.

Story

On July 18, 2025, four unauthorized releases of eslint-config-prettier, a JavaScript tooling package with more than five million weekly downloads, appeared on npm without any corresponding commit in the project's GitHub repository. The releases were the first visible damage from a phishing campaign that lured npm maintainers to a typosquat domain at npnjs.com, and they put a Windows-targeted install-time loader in front of a large fraction of the JavaScript ecosystem.

eslint-config-prettier is a small shared configuration that turns off ESLint rules conflicting with the Prettier code formatter, and it ships as a transitive dependency of countless front-end projects. Researchers at Socket and StepSecurity tied the compromise to credentials harvested through npnjs.com, a deliberate misreading of npmjs.com used in phishing emails sent to maintainers of widely used packages.

The malicious versions, 8.10.1, 9.1.1, 10.1.6, and 10.1.7, were published from the maintainer's account without a matching source commit. That gap between registry and repository, StepSecurity said, was the clearest indicator of compromise. The package contained an install.js script that ran on Windows during dependency installation and used rundll32 to invoke a bundled node-gyp.dll, giving the attacker code execution on developer workstations and CI runners before any runtime review of the package took place.

The maintainer revoked the compromised token, rotated credentials, deprecated the four malicious releases, and coordinated removal with npm. The incident was assigned CVE-2025-54313. Socket subsequently tracked the same phishing campaign hitting the is package and other maintainer accounts; the cross-package wave is covered separately under [[npnjs-scam-npm-2025]].

Affected Artifacts

eslint-config-prettier

npm · repository · Source Archive

Observed: 2025-07-18 to 2025-07-19
Compromised Versions: 8.10.1

9.1.1

10.1.6

10.1.7
Fixed: Not listed
Evidence: distribution: npmjs.com/package/eslint-config-prettier/v/8.10.1, distribution: npmjs.com/package/eslint-config-prettier/v/9.1.1, distribution: npmjs.com/package/eslint-config-prettier/v/10.1.6, distribution: npmjs.com/package/eslint-config-prettier/v/10.1.7 , +3 more

Incident Context

Motive: Remote Code Execution
Attribution: Group
Cause: Social Engineering
Transitive: Yes
Actor: Third Party
User Impact: 5000000

External References

eslint-config-prettier package shows signs of compromisestepsecurity.io
Suspicious npm releases for eslint-config-prettiergithub.com
CVE-2025-54313 Detailnvd.nist.gov
npm phishing campaign leads to Prettier tooling packages compromisesocket.dev
npm is package hijacked in expanding supply chain attacksocket.dev

Source record: oss/attacks/eslint-config-prettier/meta.yaml