eslint-plugin-prettier phishing shipped malware

On July 18, 2025, attackers used a phished npm publishing token belonging to the maintainer JounQin to push two malicious versions of eslint-plugin-prettier, a popular bridge between the Prettier code formatter and the ESLint linter that pulls millions of weekly downloads across the JavaScript ecosystem.

The poisoned releases, 4.2.2 and 4.2.3, were published only to the npm registry. No matching commits, pull requests, or tags appeared in the project's GitHub repository, a telltale that researchers at StepSecurity and Socket used to confirm the publishing pipeline had been hijacked rather than the source tree.

JounQin later said he had been tricked by a phishing email pointing at npnjs.com, a typosquat of the legitimate npm domain that harvested his credentials and let an attacker add a fresh publishing token to his account. The same token was used the same day to ship malicious versions of several other packages JounQin maintains, including eslint-config-prettier, synckit, @pkgr/core, and napi-postinstall.

Socket described the payload as a Windows-only loader. On install, the package checked the platform and, on Windows, spawned rundll32 against a bundled node-gyp.dll, a name chosen to blend in with the legitimate node-gyp build tool. The DLL was later cataloged as part of the Scavenger infostealer family and tracked as CVE-2025-54313.

JounQin revoked the leaked token, deprecated the malicious versions, and worked with npm support to remove them. Downstream consumers who installed during the window were advised to treat any credentials reachable from the affected machine, including npm tokens, browser secrets, and SSH keys, as compromised.

Motive

Remote Code Execution

Attribution

Group

Cause

Social Engineering

Transitive

Yes

Actor

Third Party

• eslint-config-prettier package shows signs of compromisestepsecurity.io
• npm phishing campaign leads to Prettier tooling packages compromisesocket.dev