Hasty Briefsbeta

Bilingual

eslint-config-prettier npm package compromised

10 months ago
  • #npm
  • #security
  • #supply-chain
  • Investigation into a supply chain security incident involving the eslint-config-prettier npm package.
  • Maintainer JounQin confirmed a phishing attack led to compromised versions of popular packages.
  • Affected packages and versions include eslint-config-prettier (8.10.1, 9.1.1, 10.1.6, 10.1.7), eslint-plugin-prettier (4.2.2, 4.2.3), and others.
  • Malicious versions were published without corresponding GitHub repository changes.
  • Compromised versions install a DLL affecting Windows users.
  • Automated tools like Dependabot and Renovate Bot have upgraded projects to vulnerable versions.
  • Recommendations include pinning to safer versions, reviewing recent dependency updates, and auditing CI/CD pipelines.
  • Ongoing investigation focuses on the nature of modifications, attack vectors, and impact assessment.
About|Login