eslint plugin-prettier vulnerability

September 17, 2025 - CVE-2025-54313 tracks a supply chain attack on eslint-config-prettier, where four malicious versions of a popular npm library targeted Windows machines with a remote-code execution payload. Learn how it happened and how to stay safe.

Snyk

snyk.io › blog › maintainers-of-eslint-prettier-plugin-attacked-via-npm-supply-chain-malware

Maintainers of ESLint Prettier Plugin Attacked via npm Supply Chain Malware | Snyk

July 22, 2025 - Urgent warning: Maintainers of popular npm packages like ESLint Prettier Plugin were attacked via an npm supply chain malware incident. Learn about the typosquatting, phishing, and impacted packages, plus essential steps to protect your projects.

reddit.com › r/programming › eslint-config-prettier compromised: how npm package with 30 million downloads spread malware

r/programming on Reddit: eslint-config-prettier Compromised: How npm Package with 30 Million Downloads Spread Malware

July 21, 2025 - The VSCode prettier / eslint extensions use whichever version of eslint or prettier are installed in your workspace, meaning yes you could be infected if your project has any dependency or sitive dependency on a compromised package.

GitHub

github.com › advisories › GHSA-f29h-pxvx-f335

eslint-config-prettier, eslint-plugin-prettier, synckit, @pkgr/core, napi-postinstall have embedded malicious code · CVE-2025-54313 · GitHub Advisory Database · GitHub

eslint-config-prettier 8.10.1, 9.1.1, 10.1.6, and 10.1.7 has embedded malicious code for a supply chain compromise.

CSO Online

csoonline.com › home › security › cybercrime › social engineering › phishing

Prettier-ESLint npm packages hijacked in a sophisticated supply chain attack | CSO Online

July 22, 2025 - Attackers used the token to publish malicious versions 8.10.1,9.1.1,10.1.6, and 10.1.7 of eslint-config-prettier, along with poisoned updates to eslint-plugin-prettier, synckit,@pkgr/core, and napi-postinstall.

OPSWAT

opswat.com › homepage › opswat blog › recent eslint hack raises software supply chain concerns to the next level

ESLint Hack: Major Software Supply Chain Attack Exposes Open Source Risks - OPSWAT

August 20, 2025 - 2. The attacker then used the stolen npm token to publish malicious versions of the eslint-config-prettier package. Four compromised versions have been identified based on developer reports: 8.10.1, 9.1.1, 10.1.6, versions 10.1.7 · Additionally, because the attacker had access to the compromised token, other packages maintained by the same author were also affected, including: eslint-plugin-prettier, synckit, @pkgr/core, and napi-postinstall

NIST

nvd.nist.gov › vuln › detail › CVE-2025-54313

NVD - CVE-2025-54313

This is a potential security issue, you are being redirected to https://nvd.nist.gov · Official websites use .gov A .gov website belongs to an official government organization in the United States

Snyk

security.snyk.io › snyk vulnerability database › npm

eslint-plugin-prettier vulnerabilities | Snyk

Published: 9 years ago Last updated: 23 days ago Latest version: 5.5.5 Latest non-vulnerable version: 5.5.5 ... This package was involved in a security incident resulting in compromised versions being published. Please verify the versions before use. ... Loading chart... ... Further analysis of the maintenance status of eslint-plugin-prettier based on released npm versions cadence, the repository activity, and other data points determined that its maintenance is Healthy.

BleepingComputer

bleepingcomputer.com › home › news › security › popular npm linter packages hijacked via phishing to drop malware

September 15, 2025 - The npm package eslint-config-prettier, downloaded over 30 million times weekly, was compromised after its maintainer fell victim to a phishing attack. Other packages, namely eslint-plugin-prettier, synckit, @pkgr/core, and napi-postinstall ...

Zeropath

zeropath.com › blog › cve-2025-54313-eslint-config-prettier-supply-chain-malware

Malicious npm Supply Chain Attack: Deep Technical Dive into CVE-2025-54313 in eslint-config-prettier - ZeroPath Blog | ZeroPath

July 19, 2025 - The following versions of eslint-config-prettier are confirmed to be malicious: ... Only Windows systems are affected, as the install script checks for the win32 platform. Projects using version ranges (e.g., ^10.1.0) or automated dependency updates (e.g., Dependabot, RenovateBot) may have inadvertently installed these versions. The attack also impacted related packages maintained by the same author, including eslint-plugin-prettier (4.2.2, 4.2.3) and synckit (0.11.9), but the primary focus of this CVE is eslint-config-prettier (npmjs.com).

Find elsewhere

Google Bing Mojeek

reddit.com › r/webdev › malware published in eslint-config-prettier and other packages

r/webdev on Reddit: Malware published in eslint-config-prettier and other packages

July 21, 2025 -

From the tweet:

cc @geteslint @PrettierCode @PrettierESLint
Attention!!!
I was tricked by a phishing email and a new npm token was added and leaked then some popular packages I'm maintaining were released with malicious software, I've deleted the leaked token and marked all affected bad versions as deprecated and released new versions.
All affected packages and versions are:
eslint-config-prettier
8.10.1
9.1.1
10.1.6
10.1.7
eslint-plugin-prettier:
4.2.2
4.2.3
snyckit:
0.11.9
@pkgr/core:
0.2.8
napi-postinstall:
0.3.1

–--

Reminder: if you are publishing npm packages, go to https://www.npmjs.com/settings/<YOUR_USERNAME>/tfa/list and change your 2FA method from Authenticator App to Security Key and create a passkey using biometrics. It would make it impossible to mistakenly enter the OTP into a fake scam site.

You can’t delete infected published versions?

Snyk

security.snyk.io › snyk vulnerability database › npm

Embedded Malicious Code in eslint-plugin-prettier | CVE-2025-54313 | Snyk

Critical severity (9.2) Embedded Malicious Code in eslint-plugin-prettier | CVE-2025-54313

SafeDep

safedep.io › eslint-config-prettier-major-npm-supply-chain-hack

eslint-config-prettier Compromised: How npm Package with 30 Million Downloads Spread Malware — Real-time Open Source Software Supply Chain Security

The npm account of JounQin, maintainer of multiple popular npm packages including eslint-config-prettier was compromised in a phishing attack. The attackers leveraged the compromised account to publish 6 versions of eslint-config-prettier with ...

Vulert

vulert.com › vuln-db › npm-eslint-plugin-prettier-196013

Critical Malware Injection in eslint-plugin-prettier: A Security Alert

To rectify this vulnerability, it is crucial to update the eslint-plugin-prettier package to a patched version as soon as it becomes available. You can do this by running the following command in your terminal: npm update eslint-plugin-prettier.

GitHub

github.com › prettier › eslint-plugin-prettier

GitHub - prettier/eslint-plugin-prettier: ESLint plugin for Prettier formatting · GitHub

If you use arrow-body-style or prefer-arrow-callback together with the prettier/prettier rule from this plugin, you can in some cases end up with invalid code due to a bug in ESLint’s autofix – see issue #65. For this reason, it’s recommended to turn off these rules. The plugin:prettier/recommended config does that for you.

Starred by 3.6K users

Forked by 212 users

Languages JavaScript

Socket

socket.dev › blog › npm-phishing-campaign-leads-to-prettier-tooling-packages-compromise

Active Supply Chain Attack: npm Phishing Campaign Leads to P...

Popular npm packages like eslint-config-prettier were compromised after a phishing attack stole a maintainer’s token, spreading malicious updates.

Cyber Press

cyberpress.org › home › hackers hijack popular npm packages to steal maintainers’ tokens

Hackers Hijack Popular npm Packages to Steal Maintainers' Tokens

July 21, 2025 - Hackers have compromised several popular npm packages, such as eslint-config-prettier and eslint-plugin-prettier, by obtaining maintainer credentials through a sophisticated phishing effort.