Popular configuration packages for integrating Prettier with ESLint, the widely used code formatting tools within JavaScript and TypeScript projects, were hijacked after a maintainer fell victim to a phishing scheme.
According to a Socket observation, packages like eslint-config-prettier and eslint-plugin-prettier were compromised hours after the open-source supply chain security firm reported an npm phishing campaign using the typosquatted npnjs.com domain.
“The attacker published malicious versions with no corresponding commits or PRs on GitHub,” a Socket blog post explained, “including a payload that executes a DLL on Windows via rundll32.”
Socket added that the attackers had published four new versions of eslint-config-prettier by the time of detection.
npm token phished for planting backdoors
The incident began with an email sent on July 17, impersonating npm support and linking to the look-alike domain npnjs.com. Unaware, the maintainer entered their credentials, giving away their npm token.
Attackers used the token to publish malicious versions 8.10.1,9.1.1,10.1.6, and 10.1.7 of eslint-config-prettier, along with poisoned updates to eslint-plugin-prettier, synckit,@pkgr/core, and napi-postinstall.
“Registration emails and maintainer metadata are easily accessible in npm’s package info, which threat actors scrape to build target lists of package maintainers,“ the Socket team said. The malicious versions carried an install-script malware targeting Windows machines by loading a malicious node-gyp.dll.
Prettier and ESLint integrations are widely used capabilities with popular tools like Dependabot and Renovate automatically picking up the “latest“ versions of packages. CI/CD pipelines and a number of developers may already have unknowingly installed compromised versions, according to Socket.
Automated GitHub alarms triggered a quick response
Detection was swift once the updates bypassed GitHub’s usual commit-based alerts and raised red flags in registry logs. The maintainer revoked the compromised token, deprecated the malicious releases, and collaborated with npm to remove them.
Socket noted that the attack is a textbook example of “multi-stage supply chain compromise,” which involves harvesting maintainer credentials, publishing malicious versions on npm, and potentially infecting thousands of projects.
“More reports of compromised credentials are likely to roll in as attackers target other maintainers, leveraging scraped npm metadata and what has so far proved to be a very convincing automated phishing campaign,” it added.
Developers are recommended to audit lockfiles, clear caches, reinstall clean versions, pin specific package versions, and enable two-factor authentication on npm accounts.
npm, the default package manager for the JavaScript runtime Node.js, has seen increased abuse in recent times, owing to its reach and popularity. Last month, Socket observed two malicious npm packages capable of wiping out production systems with a single request. Previously, a score of npm packages were caught snooping on dev machines in addition to a clever campaign that dropped typo-squatted packages with stealers and RCE codes.
