A significant security incident involving the widely used npm package “eslint-config-prettier” has been uncovered.
The package, downloaded more than 3.5 billion times, was compromised on July 18 after its maintainer fell victim to a phishing campaign. ReversingLabs’automated detection system and the Socket research team reported the attack the same day.
Malicious versions of the package, along with others maintained by the same developer, were published using stolen credentials. The tampered files contained a script designed to drop the Scavenger remote access Trojan (RAT) on Windows systems.
Although the compromised versions were available for less than two hours, the package’s 36 million weekly downloads meant the potential impact was significant.
How the Attack Spread
According to an advisory published by ReversingLabs last week, the phishing campaign targeted npm maintainers through emails spoofing the official support address.
Victims were lured to a fake npm site with tokenized URLs – an indication of deliberate targeting.
Once the maintainer’scredentials were stolen, attackers released infected versions of several related packages, including eslint-plugin-prettier and synckit.
Complications arose because many projects declare eslint-config-prettier as a direct dependency rather than a devDependency. ReversingLabs identified more than 14,000 such cases, which created an avenue for downstream compromises.
The Role of Automated Updates
Automated tools, such as GitHub’s Dependabot, amplified the damage. These systems can open and merge pull requests to update dependencies without human review.
Several repositories, including one managed by the European e-bike company Dott, were found to have automatically pulled in malicious versions.
While GitHub-hosted runners limit persistence, organizations using self-hosted runners may have faced greater risks.
ReversingLabs detected 46 projects that installed the compromised version during the attack window, including one hosted on a Microsoft-owned repository.
“Even a narrow exposure window can have large repercussions,”the researchers noted.
Lessons for Developers
The incident highlights the challenges of dependency management in modern software development. Automated updating reduces risks from outdated code but can introduce threats when malicious versions slip through.
ReversingLabs recommended several practices:
-
Delay non-critical updates to allow time for detection of malicious versions
-
Separate dependencies from devDependencies
-
Configure build workflows to prevent unnecessary installations in production
-
Avoid merging automated pull requests without manual review
As supply chain attacks increase, researchers emphasize that dependency hygiene and cautious automation are crucial safeguards.