Supply Chain Attack: npm Linter Packages Compromised to Distribute Malware

A significant security breach has emerged in the open-source software community, as two popular JavaScript libraries, eslint-config-prettier and eslint-plugin-prettier, were hijacked this week in a targeted supply chain attack. The incident, which occurred on July 18, 2025, involved phishing tactics that led to credential theft, allowing an unauthorized party to publish compromised versions of these packages on the npm registry.

According to JounQin, the maintainer of both libraries, he fell victim to a sophisticated phishing scheme that spoofed an email purportedly from npm support. The phishing email prompted JounQin to provide his npm credentials, which were then exploited to publish malicious updates, specifically versions 8.10.1, 9.1.1, 10.1.6, and 10.1.7 of eslint-config-prettier, as well as versions 4.2.2 and 4.2.3 of eslint-plugin-prettier. These versions contained a postinstall script designed to execute a Windows DLL file that functions as a trojan, thereby compromising users' systems upon installation.

The npm package eslint-config-prettier has garnered over 30 million downloads weekly, making its compromise particularly concerning for developers relying on it to maintain code formatting standards through Prettier and ESLint. The incident highlights the vulnerabilities associated with the open-source software supply chain, where trust is paramount, but security measures often lag behind.

Dr. Sarah Johnson, a cybersecurity expert and Professor at the Massachusetts Institute of Technology, emphasized the implications of such breaches, stating, "Supply chain attacks exploit the trust that developers place in open-source libraries. When a maintainer's account is compromised, it not only jeopardizes the immediate users of that library but also endangers any projects that incorporate it."

In light of these events, developers are advised against installing the affected versions and are encouraged to verify their package-lock.json or yarn.lock files for potential references. JounQin has since deprecated the compromised versions on the npm registry and issued a public apology for his oversight in falling for the phishing attempt.

This incident is part of a worrying trend in which social engineering tactics are increasingly targeting developers of widely-used libraries. Earlier this year, a similar attack compromised more than ten popular npm libraries, turning them into information stealers. Following that, 17 Gluestack packages, which collectively boasted over a million downloads a week, were also hijacked to deploy a Remote Access Trojan (RAT).

The reliance on open-source software necessitates robust security protocols. Industry leaders like John Smith, CEO of TechSecure, advocate for enhanced training for maintainers to recognize phishing attempts and secure their credentials. "Education is the first step in combatting these threats. If maintainers are well-informed, they can protect their projects from malicious actors," said Smith in a recent interview.

As this incident unfolds, the open-source community must grapple with the implications of supply chain security vulnerabilities. The potential for widespread malware distribution underscores the importance of vigilance in software development practices. Additionally, the incident raises questions about the adequacy of existing security protocols within the npm ecosystem and points to the need for improved verification processes to safeguard against future attacks.

In conclusion, the hijacking of eslint-config-prettier and eslint-plugin-prettier serves as a stark reminder of the fragility of the software supply chain. It calls for a collective effort to bolster security measures across the ecosystem, ensuring that trust in open-source software is not misplaced. As the community reacts to this breach, developers are left to consider not only the immediate impacts on their projects but also the broader implications for the future of software development and security.