eslint-config-prettier

Incident Summary

npm Phishing Campaign Targets Prettier Tooling

A phishing campaign targeting npm maintainers through the typosquatted npnjs.com domain compromised eslint-config-prettier. The attacker added a malicious npm token to maintainer JounQin's account and published eslint-config-prettier 8.10.1, 9.1.1, 10.1.6, and 10.1.7 directly to npm without matching GitHub source changes. The malicious package executed install.js during installation and, on Windows hosts, launched bundled node-gyp.dll with rundll32. NVD assigned CVE-2025-54313 to the eslint-config-prettier compromise. Related packages from the same campaign are tracked separately in their own records.

Date: 2025-07-18 to 2025-07-19
Category: Open Source
Target Surface: Package registry
Insertion Phase: distribution
Impact: Code Execution
Cause: Social Engineering

What Was Affected

Package eslint-config-prettier

LanguageJavaScript

ComponentLibrary

Artifact typesource archive

Domain typepackage host

Domain npmjs.com

Repository github.com/prettier/eslint-config-prettier

Compromised Versions

Incident Context

Motive: Remote Code Execution
Attribution: Third Party
Transitive: Yes
User Impact: 5000000
Observed Duration: 1 days

eslint-config-prettier

npm Phishing Campaign Targets Prettier Tooling

What Was Affected

Compromised Versions

Incident Context

Evidence

Current Artifacts and Analysis

External References

Source Data