eslint-config-prettier npm package compromised

https://www.stepsecurity.io/blog/supply-chain-security-alert-eslint-config-prettier-package-shows-signs-of-compromise

74•varunsharma07•6mo ago

Comments

warmedcookie•6mo ago

Hit me. Disables security in Chrome. I will be wiping everything. Changed passwords already, but I assume they stole everything.

dcsan•6mo ago

why isn't this bigger news?

it looks like installing a dll so maybe it's windows only?

https://github.com/prettier/eslint-config-prettier/issues/33...

InGoodFaith•6mo ago

It appears the individual was unable to distinguish a display name from the actual email address (common phishing tactic of having something like admin@company.org as the email display name while the actual email address is a random throwaway). [1]

Good reminder to use a password manager as well (as it would also catch the 'npnjs' typo squatted domain too).

Similar incident happened to the HIBP guy who mentioned ignoring the password manager safeguards due to being half asleep while on the plane.

Also keep in mind you can disable install scripts in npm from running (if you happen to not do your development in an isolated environment) via configuring your .npmrc with

> ignore-scripts=true

Stay safe out there

1: https://x.com/JounQin/status/1946297662069993690

gcau•6mo ago

>the individual was unable to distinguish a display name from the actual email address

This is wild to me, not just because they're a developer but they even know about SPF/DMARC. Also, the content of the email being them asking to reverify your email sounds suspicious and illogical. I know people make mistakes, but it's just crazy, and shows the importance of companies training employees to not fall for phishing emails.

hombre_fatal•6mo ago

Dunno, this is also a failure of email client UI which is designed around a naive world with no bad actors just so it looks cute.

The sender email address could be more prominent.

All link URLs could be visible.

Emails from new senders could have some sort of warning/alert. I used to use an email client that let you approve incoming email addresses, and it once saved me from a Coinbase phishing email since it made me double check the sender since it was marked as unapproved.

We can't keep blaming the victim when our own software works in the favor of bad actors. You're going to let your guard down one day.

homebrewer•6mo ago

This will break many things that rely on installation scripts to work properly.

Use a better package manager that always disables installation scripts and lets you whitelist only those you absolutely need (like pnpm — which asks you post-install if any scripts were necessary, and reruns those you confirm).

Also avoid horrible tire fires like eslint that require several hundreds of unvetted dependencies. If you work alone and are disciplined, it's perfectly possible to write good TS without a linter. If not — use biomejs.dev (zero external dependencies) or `deno lint`.

Also node can easily be isolated from the rest of the system through bubblewrap/firejail:

  $ ls -a ~
  .  ..  code

https://wiki.archlinux.org/title/Bubblewrap

https://wiki.archlinux.org/title/Firejail

christophilus•6mo ago

Biome has a 5000+ line cargo.lock file. That’s a lot of dependencies. You just don’t see them directly in npm. This is the reason I dislike Rust and prefer Go. Rust is the JavaScript packaging culture applied to systems programming.

jakubmazanec•6mo ago

One thing Npm should implement (at least for popular packages) is deny publishing new versions that don't have provenance [1] if the previous versions had it. This would have stopped this attack.

[1] https://docs.npmjs.com/generating-provenance-statements

hofrogs•6mo ago

I feel like this is a really big deal, eslint and prettier are a must-have for any js/ts project, imo. Many developers could be affected (and probably were). Which will lead to even more supply chain attacks down the line...

Maxious•6mo ago

This package is downloaded millions of times a week https://www.npmjs.com/package/eslint-config-prettier?activeT...

It's the primary way suggested to integrate the two https://prettier.io/docs/integrating-with-linters

Show HN: Django-rclone: Database and media backups for Django, powered by rclone

NY lawmakers proposed statewide data center moratorium

OpenClaw AI chatbots are running amok – these scientists are listening in

Show HN: AI agent forgets user preferences every session. This fixes it

Introduce the Vouch/Denouncement Contribution Model

Show HN: SSHcode – Always-On Claude Code/OpenCode over Tailscale and Hetzner

Microsoft appointed a quality czar. He has no direct reports and no budget

Multi-agent coordination on Claude Code: 8 production pain points and patterns

Washington Post CEO Will Lewis Steps Down After Stormy Tenure

DevXT – Building the Future with AI That Acts

A Minimal OpenClaw Built with the OpenCode SDK

The silent death of Good Code

The Internal Negotiation You Have When Your Heart Rate Gets Uncomfortable

Show HN: Glance – Fast CSV inspection for the terminal (SIMD-accelerated)

Busy for the Next Fifty to Sixty Bud

Imperative

Show HN: I decomposed 87 tasks to find where AI agents structurally collapse

I went back to Linux and it was a mistake

Octrafic – open-source AI-assisted API testing from the CLI

US Accuses China of Secret Nuclear Testing

Peacock. A New Programming Language

A postcard arrived: 'If you're reading this I'm dead, and I really liked you'

What to know about the software selloff

Show HN: Syntux – generative UI for websites, not agents

Microsoft appointed a quality czar. He has no direct reports and no budget

AI overlay that reads anything on your screen (invisible to screen capture)

Show HN: Seafloor, be up and running with OpenClaw in 20 seconds

Tesla turbine-inspired structure generates electricity using compressed air

State Department deleting 17 years of tweets (2009-2025); preservation needed

Learning to code, or building side projects with AI help, this one's for you

Show HN: Django-rclone: Database and media backups for Django, powered by rclone

NY lawmakers proposed statewide data center moratorium

OpenClaw AI chatbots are running amok – these scientists are listening in

Show HN: AI agent forgets user preferences every session. This fixes it

Introduce the Vouch/Denouncement Contribution Model

Show HN: SSHcode – Always-On Claude Code/OpenCode over Tailscale and Hetzner

Microsoft appointed a quality czar. He has no direct reports and no budget

Multi-agent coordination on Claude Code: 8 production pain points and patterns

Washington Post CEO Will Lewis Steps Down After Stormy Tenure

DevXT – Building the Future with AI That Acts

A Minimal OpenClaw Built with the OpenCode SDK

The silent death of Good Code

The Internal Negotiation You Have When Your Heart Rate Gets Uncomfortable

Show HN: Glance – Fast CSV inspection for the terminal (SIMD-accelerated)

Busy for the Next Fifty to Sixty Bud

Imperative

Show HN: I decomposed 87 tasks to find where AI agents structurally collapse

I went back to Linux and it was a mistake

Octrafic – open-source AI-assisted API testing from the CLI

US Accuses China of Secret Nuclear Testing

Peacock. A New Programming Language

A postcard arrived: 'If you're reading this I'm dead, and I really liked you'

What to know about the software selloff

Show HN: Syntux – generative UI for websites, not agents

Microsoft appointed a quality czar. He has no direct reports and no budget

AI overlay that reads anything on your screen (invisible to screen capture)

Show HN: Seafloor, be up and running with OpenClaw in 20 seconds

Tesla turbine-inspired structure generates electricity using compressed air

State Department deleting 17 years of tweets (2009-2025); preservation needed

Learning to code, or building side projects with AI help, this one's for you

eslint-config-prettier npm package compromised

Comments