Active Supply Chain Attack: npm Phishing Campaign Leads to Prettier Tooling Packages Compromise

Hours after we reported on the npm phishing campaign using the typosquatted npnjs.com site, we’re now seeing the first major fallout: popular npm packages, including eslint-config-prettier and eslint-plugin-prettier, were compromised when a maintainer’s npm token was stolen via the phishing email.

A suspicious activity report in GitHub issue on the eslint-config-prettier repo revealed that four new versions of eslint-config-prettier were published with no corresponding commits or PRs on GitHub. Maintainers quickly discovered the new versions contained malicious code, including a Windows-specific payload attempting to load node-gyp.dll via rundll32.

Malicious releases included:

• eslint-config-prettier: 8.10.1, 9.1.1, 10.1.6, 10.1.7
• eslint-plugin-prettier: 4.2.2, 4.2.3
• synckit: 0.11.9
• @pkgr/core: 0.2.8
• napi-postinstall: 0.3.1

The injected code attempted to execute a DLL on Windows machines, potentially allowing remote code execution.

Maintainer Credentials Compromised Via Phishing Email#

The maintainer confirmed their npm token was compromised via the npnjs.com phishing email. The attackers used the stolen credentials to publish malicious versions of multiple packages without touching the GitHub repos, making the attack harder to spot.

Registration emails and maintainer metadata are easily accessible in npm’s package info, which threat actors scrape to build target lists of package maintainers.

Prettier and ESLint integrations are widely used in thousands of projects. Tools like Dependabot and Renovate automatically pick up the “latest” versions of packages, meaning that CI/CD pipelines and developers could have unknowingly installed compromised versions.

The affected maintainer was quick to respond and took the following actions:

• Revoked the compromised npm token and rotated credentials.
• Marked the malicious versions as deprecated so automated tools would not suggest them.
• Coordinated with npm support to remove the malicious versions.

What Developers Should Do Now#

1. Check your lockfiles: Look for the affected versions listed above and roll back to safe versions (eslint-config-prettier 10.1.5 or earlier).
2. Audit recent installs: If you installed these packages in the last 24 hours, delete node_modules, clear npm caches, and reinstall from clean, updated versions.
3. Enable 2FA on npm: Always protect your account with two-factor authentication.
4. Pin exact versions: Avoid floating latest tags in CI pipelines.

This is a textbook example of multi-stage supply chain compromise:

• Step 1: Phishing email harvests maintainer credentials.
• Step 2: Attacker publishes malicious versions to npm.
• Step 3: Thousands of projects could ingest malware automatically.

More reports of compromised credentials are likely to roll in as attackers target other maintainers, leveraging scraped npm metadata and what has so far proved to be a very convincing automated phishing campaign.

At Socket, we detect suspicious package activity, such as new versions with unexpected install scripts or binaries, to help developers catch these incidents before they spread. Install the free Socket GitHub App to enable real-time pull request scanning to catch malicious dependencies before they are merged.

This incident shows how quickly phishing attacks on maintainers can escalate into ecosystem-wide threats. We are continuing to monitor the npm ecosystem for signs of further malicious publishing activity and will share updates as this attack campaign unfolds.