- • A supply chain attack compromised popular npm packages, specifically eslint-config-prettier and eslint-plugin-prettier, via a phishing campaign targeting maintainers.
- • Malicious versions (8.10.1, 9.1.1, 10.1.6, 10.1.7 for eslint-config-prettier and 4.2.2, 4.2.3 for eslint-plugin-prettier) were published without source code changes, enabling remote code execution on Windows machines.
- • The attack exploited stolen npm tokens, allowing unauthorized package updates that could lead to malware infections for users who downloaded these versions.
- • Immediate actions required include removing the affected package versions and implementing stricter access controls for maintainers to prevent credential theft.
- • No specific threat actor attribution was mentioned, but the attack highlights vulnerabilities in the npm ecosystem related to maintainer security.
A recent supply chain attack has compromised several popular npm packages, including eslint-config-prettier and eslint-plugin-prettier, through a phishing scheme that stole maintainer tokens. This led to the publication of malicious package versions capable of executing remote code on Windows systems. Users who downloaded the affected versions (8.10.1, 9.1.1, 10.1.6, 10.1.7, and others) are at risk of malware infection. Organizations must immediately remove these versions, enhance security measures for package maintainers, and monitor for any signs of compromise. There are no patches available for the compromised packages; thus, vigilance and user education are critical.
