🌐
Snyk
snyk.io › blog › maintainers-of-eslint-prettier-plugin-attacked-via-npm-supply-chain-malware
Maintainers of ESLint Prettier Plugin Attacked via npm Supply Chain Malware | Snyk
July 22, 2025 - Urgent warning: Maintainers of popular npm packages like ESLint Prettier Plugin were attacked via an npm supply chain malware incident. Learn about the typosquatting, phishing, and impacted packages, plus essential steps to protect your projects.
🌐
Endor Labs
endorlabs.com › learn › cve-2025-54313-eslint-config-prettier-compromise----high-severity-but-windows-only
CVE-2025-54313: eslint-config-prettier Compromise — High Severity but Windows-Only | Blog | Endor Labs
September 17, 2025 - CVE-2025-54313 tracks a supply chain attack on eslint-config-prettier, where four malicious versions of a popular npm library targeted Windows machines with a remote-code execution payload. Learn how it happened and how to stay safe.
Videos
21:39
🌐 YouTube
Using ESLint and Prettier in Visual Studio Code - YouTube
May 9, 2024
10:22
🌐 YouTube
Prettier & ESLint in Visual Studio Code: The Ultimate Guide - YouTube
September 1, 2024
13:38
🌐 YouTube
Saying Goodbye To ESLINT and Prettier - YouTube
June 15, 2025
09:15
🌐 YouTube
3. How to Set Up ESLint 9 with Prettier in Node.js (Flat Config ...
March 1, 2025
08:29
🌐 YouTube
How to setup ESLint and Prettier in Next.js Projects - YouTube
December 29, 2024
View all
View all
🌐
GitHub
github.com › advisories › GHSA-f29h-pxvx-f335
eslint-config-prettier, eslint-plugin-prettier, synckit, @pkgr/core, napi-postinstall have embedded malicious code · CVE-2025-54313 · GitHub Advisory Database · GitHub
eslint-config-prettier 8.10.1, 9.1.1, 10.1.6, and 10.1.7 has embedded malicious code for a supply chain compromise.
🌐
OPSWAT
opswat.com › homepage › opswat blog › recent eslint hack raises software supply chain concerns to the next level
ESLint Hack: Major Software Supply Chain Attack Exposes Open Source Risks - OPSWAT
August 20, 2025 - 2. The attacker then used the stolen npm token to publish malicious versions of the eslint-config-prettier package. Four compromised versions have been identified based on developer reports: 8.10.1, 9.1.1, 10.1.6, versions 10.1.7 · Additionally, because the attacker had access to the compromised token, other packages maintained by the same author were also affected, including: eslint-plugin-prettier, synckit, @pkgr/core, and napi-postinstall
🌐
Snyk
security.snyk.io › snyk vulnerability database › npm
Embedded Malicious Code in eslint-plugin-prettier | CVE-2025-54313 | Snyk
Critical severity (9.2) Embedded Malicious Code in eslint-plugin-prettier | CVE-2025-54313
🌐
Reddit
reddit.com › r/webdev › malware published in eslint-config-prettier and other packages
r/webdev on Reddit: Malware published in eslint-config-prettier and other packages
July 21, 2025 -

From the tweet:

cc @geteslint @PrettierCode @PrettierESLint

Attention!!!

I was tricked by a phishing email and a new npm token was added and leaked then some popular packages I'm maintaining were released with malicious software, I've deleted the leaked token and marked all affected bad versions as deprecated and released new versions.

All affected packages and versions are:

  • eslint-config-prettier

    • 8.10.1

    • 9.1.1

    • 10.1.6

    • 10.1.7

  • eslint-plugin-prettier:

    • 4.2.2

    • 4.2.3

  • snyckit:

    • 0.11.9

  • @pkgr/core:

    • 0.2.8

  • napi-postinstall:

    • 0.3.1

–--

Reminder: if you are publishing npm packages, go to https://www.npmjs.com/settings/<YOUR_USERNAME>/tfa/list and change your 2FA method from Authenticator App to Security Key and create a passkey using biometrics. It would make it impossible to mistakenly enter the OTP into a fake scam site.

Top answer
1 of 5
72
That's pretty awful
2 of 5
48
You can’t delete infected published versions?
🌐
Reddit
reddit.com › r/programming › eslint-config-prettier compromised: how npm package with 30 million downloads spread malware
r/programming on Reddit: eslint-config-prettier Compromised: How npm Package with 30 Million Downloads Spread Malware
July 21, 2025 - The VSCode prettier / eslint extensions use whichever version of eslint or prettier are installed in your workspace, meaning yes you could be infected if your project has any dependency or sitive dependency on a compromised package.
🌐
SafeDep
safedep.io › eslint-config-prettier-major-npm-supply-chain-hack
eslint-config-prettier Compromised: How npm Package with 30 Million Downloads Spread Malware — Real-time Open Source Software Supply Chain Security
On 19 July 2025, the maintainer of eslint-config-prettier disclosed that he was tricked in an email phishing attack where the attackers gained access to publish to various npm projects that he maintains.
Find elsewhere
🌐
CSO Online
csoonline.com › home › security › cybercrime › social engineering › phishing
Prettier-ESLint npm packages hijacked in a sophisticated supply chain attack | CSO Online
July 22, 2025 - According to a Socket observation, packages like eslint-config-prettier and eslint-plugin-prettier were compromised hours after the open-source supply chain security firm reported an npm phishing campaign using the typosquatted npnjs.com domain. “The attacker published malicious versions with no corresponding commits or PRs on GitHub,” a Socket blog post explained, “including a payload that executes a DLL on Windows via rundll32.”
🌐
BleepingComputer
bleepingcomputer.com › home › news › security › popular npm linter packages hijacked via phishing to drop malware
Popular npm linter packages hijacked via phishing to drop malware
September 15, 2025 - Popular JavaScript libraries eslint-config-prettier and eslint-plugin-prettier were hijacked this week and turned into malware droppers, in a supply chain attack achieved via targeted phishing and credential theft.
🌐
Invokere
invokere.com › posts › 2025 › 07 › scavenger-malware-distributed-via-eslint-config-prettier-npm-package-supply-chain-compromise
Scavenger Malware Distributed via eslint-config-prettier NPM Package Supply Chain Compromise
On Friday July 18th, a number of Github users reported a popular NPM package es-lint-config-prettier having releases published despite code changes not being reflected within their Github repository. The maintainer later stated that their NPM account had been compromised via a phishing email: They then acknowledged that the following NPM packages had been affected: eslint-config-prettier versions: 8.10.1, 9.1.1, 10.1.6, 10.1.7
🌐
Zeropath
zeropath.com › blog › cve-2025-54313-eslint-config-prettier-supply-chain-malware
Malicious npm Supply Chain Attack: Deep Technical Dive into CVE-2025-54313 in eslint-config-prettier - ZeroPath Blog | ZeroPath
July 19, 2025 - However, the login link pointed ... Armed with the stolen token, attackers published four malicious versions of eslint-config-prettier (8.10.1, 9.1.1, 10.1.6, 10.1.7) directly to the npm registry....
🌐
GitHub
github.com › prettier › eslint-plugin-prettier
GitHub - prettier/eslint-plugin-prettier: ESLint plugin for Prettier formatting · GitHub
If you use arrow-body-style or prefer-arrow-callback together with the prettier/prettier rule from this plugin, you can in some cases end up with invalid code due to a bug in ESLint’s autofix – see issue #65. For this reason, it’s recommended to turn off these rules. The plugin:prettier/recommended config does that for you.
Author   prettier
🌐
Vulert
vulert.com › vuln-db › npm-eslint-plugin-prettier-196013
Critical Malware Injection in eslint-plugin-prettier: A Security Alert
The vulnerability in eslint-plugin-prettier arises from the inclusion of malicious code that installs a Windows-based malware file named node-gyp.dll through the install.js script.
🌐
Socket
socket.dev › blog › npm-phishing-campaign-leads-to-prettier-tooling-packages-compromise
Active Supply Chain Attack: npm Phishing Campaign Leads to P...
Popular npm packages like eslint-config-prettier were compromised after a phishing attack stole a maintainer’s token, spreading malicious updates.
🌐
Miggo
miggo.io › vulnerability-database › cve › CVE-2025-54313
CVE-2025-54313: ESLint Prettier Install RCE
eslint-config-prettier 8.10.1, 9.1.1, 10.1.6, and 10.1.7 has embedded malicious code for a supply chain compromise.
🌐
DEV Community
dev.to › snyk › maintainers-of-eslint-prettier-plugin-attacked-via-npm-supply-chain-malware-a20
Maintainers of ESLint Prettier Plugin Attacked via npm Supply Chain Malware - DEV Community
July 23, 2025 - Urgent warning: Maintainers of popular npm packages like ESLint Prettier Plugin were attacked via an npm supply chain malware incident. Learn about the typosquatting, phishing, and impacted packages, plus essential steps to protect your projects.
🌐
GitHub
github.com › prettier › eslint-config-prettier
GitHub - prettier/eslint-config-prettier: Turns off all rules that are unnecessary or might conflict with Prettier. · GitHub
There a few rules that eslint-config-prettier disables that actually can be enabled in some cases. Some require certain options. The CLI helper tool validates this. Some require special attention when writing code. The CLI helper tool warns you if any of those rules are enabled, but can’t tell if anything is problematic. Some can cause problems if using eslint-plugin-prettier and --fix.
Author   prettier
🌐
NIST
nvd.nist.gov › vuln › detail › CVE-2025-54313
NVD - CVE-2025-54313
This is a potential security issue, you are being redirected to https://nvd.nist.gov · Official websites use .gov A .gov website belongs to an official government organization in the United States