Developer Accounts Under Attack – How Threat Actors Are Exploiting Prettier Tooling Packages

The Node.js ecosystem faced a critical supply chain attack this week as several popular npm packages, including eslint-config-prettier and eslint-plugin-prettier were compromised through a coordinated phishing campaign.

The breach highlights growing concerns about the security of open-source maintainers. It highlights the ease with which credentials can be harvested and abused to spread malicious code throughout developer pipelines.

Phishing Attack and Technical Intrusion

This targeted attack began with a deceptive email referencing the typosquatted domain npnjs.com, nearly indistinguishable from the legitimate npmjs.com.

A maintainer inadvertently entered their npm credentials on this fake site, allowing attackers to hijack their npm token immediately.

With this critical piece of authentication, adversaries were able to publish compromised versions of several high-traffic packages directly to the npm registry, thereby bypassing GitHub workflows and source-control-based monitoring.

The damage was swift and precise. Malicious versions published include:

• eslint-config-prettier: 8.10.1, 9.1.1, 10.1.6, 10.1.7
• eslint-plugin-prettier: 4.2.2, 4.2.3
• synckit: 0.11.9
• @pkgr/core: 0.2.8
• napi-postinstall: 0.3.1

Forensics revealed injected code targeting Windows environments, attempting to load a rogue node-gyp.dll via rundll32.

Such a payload could grant adversaries remote code execution on any affected developer or CI machine, potentially compromising applications across thousands of projects.

Automatic Updates Spread the Threat

The popularity of Prettier and ESLint integrations amplifies the reach of this attack.

Automated tools like Dependabot and Renovate routinely update dependencies to the latest published versions, meaning countless projects may have unknowingly imported compromised packages.

With no visible GitHub history for these poisoned releases, the attack evaded standard codebase review processes until a vigilant user flagged suspicious activity.

Immediate Response and Ecosystem-Wide Remediation

Maintainers acted quickly:

• Compromised npm credentials were revoked.
• Malicious versions were deprecated to hinder propagation.
• Npm security teams coordinated with maintainers to remove tainted releases from the registry.

Recommendations for Developers

Security experts advise all developers to:

• Audit project lockfiles for the affected versions and immediately roll back to safe releases (e.g., eslint-config-prettier 10.1.5 or earlier).
• Delete node_modulesClear the npm cache and reinstall clean dependencies if packages were updated recently.
• Enable two-factor authentication (2FA) on npm accounts.
• Avoid using “latest” tags in production pipelines; instead, pin exact dependency versions.

This incident serves as a stark reminder that open-source supply chains are only as strong as their weakest link.

With attackers now leveraging scraped maintainer metadata for efficient, high-value phishing, the need for proactive security controls and real-time package monitoring, such as that provided by tools like Socket, has never been greater.