A major supply chain security incident has been discovered involving the widely adopted npm package eslint-config-prettier, which has accumulated more than 3.5 billion downloads worldwide.

What Happened

On July 18, attackers successfully compromised the package after its maintainer fell victim to a phishing campaign. The breach was identified on the same day by ReversingLabs’ automated detection system and the Socket research team.

Threat actors leveraged stolen credentials to publish malicious versions of eslint-config-prettier and several other packages maintained by the same developer. These altered versions contained a hidden script designed to install the Scavenger remote access Trojan (RAT) on Windows devices.

Although the malicious versions remained online for less than two hours, the package’s 36 million weekly downloads underscored the potentially massive impact of the compromise.

How the Attack Unfolded

According to a recent advisory from ReversingLabs, the phishing emails were carefully crafted to impersonate npm’s official support team. Victims were redirected to a fake npm login page embedded with tokenized URLs, suggesting the campaign deliberately targeted specific maintainers.

Once access was gained, attackers released infected versions of not only eslint-config-prettier but also related packages such as eslint-plugin-prettier and synckit.

The risks were heightened because thousands of projects listed eslint-config-prettier as a direct dependency instead of a devDependency. ReversingLabs found over 14,000 instances of this misconfiguration, creating downstream exposure for countless projects.

Amplified by Automated Updates

The incident was made worse by the role of automated dependency management tools. Services like GitHub’s Dependabot can open and merge pull requests without human oversight, unintentionally propagating malicious versions.

One notable example was the European e-bike company Dott, whose repositories automatically integrated the compromised package.

While GitHub-hosted runners have limitations that reduce persistence, organizations running self-hosted environments faced higher risks. ReversingLabs confirmed that 46 projects had pulled in the tainted package during the short exposure period, including one linked to a Microsoft-owned repository.

As ReversingLabs highlighted:

“Even a narrow exposure window can have large repercussions.”

Key Lessons for Developers

This attack serves as a sharp reminder of the fragility of modern software supply chains. While automated updates help minimize vulnerabilities from outdated code, they can also accelerate the spread of malicious versions if proper safeguards are not in place.

Recommended Best Practices:

• Delay non-critical updates to allow the security community time to detect malicious releases.
• Clearly separate dependencies from devDependencies to avoid unnecessary risks.
• Harden build workflows so production environments do not install non-essential packages.
• Manually review automated pull requests before merging, especially when dependencies are updated.

Why This Matters

As supply chain attacks continue to escalate, this case underscores the importance of dependency hygiene, robust observability, and careful automation practices in safeguarding software ecosystems.

Organizations must recognize that even trusted, widely used packages are not immune from compromise — making continuous monitoring, security-aware development, and proactive compliance strategies critical defenses.

Source: https://www.infosecurity-magazine.com/news/popular-npm-package-compromised-in