npm Supply Chain Attack: Tampering in eslint-config-prettier and other packages with malicious code analysis

Key Information Summary Vulnerability Overview Vulnerability Type: Supply Chain Security Alert Affected Package: eslint-config-prettier Issue: Shows signs of tampering Confirmed Affected Packages and Versions eslint-config-prettier - v8.3.0 - v8.2.0 - v8.1.0 - v8.0.0 - v7.2.0 - v7.1.0 - v7.0.0 - v6.0.0 - v5.0.0 - v4.0.0 - v3.0.0 - v2.0.0 - v1.0.0 Other Affected Packages - @typescript-eslint/eslint-plugin: v5.3.0, v5.2.0, v5.1.0, v5.0.0 - @typescript-eslint/parser: v5.3.0, v5.2.0, v5.1.0, v5.0.0 - eslint-plugin-import: v2.25.3, v2.25.2, v2.25.1, v2.25.0 - eslint-plugin-jsdoc: v36.6.0, v36.5.0, v36.4.0, v36.3.0 - eslint-plugin-prettier: v4.0.0, v3.4.1, v3.4.0, v3.3.1 - prettier: v2.5.1, v2.5.0, v2.4.1, v2.4.0 Updates and Developments Update 1: eslint-config-prettier maintainer confirms supply chain attack Update 2: Official CVE assigned Update 3: Attack activity extended to 'is' package Update 4: Attack activity extended to got-fetch package Summary and Observations Key Observation: Attackers exploited leaked npm authentication tokens to tamper with multiple packages. Malicious Code Example: Immediate Recommendations Pin to earlier, unaffected versions Review recent dependency updates Audit CI/CD pipelines Monitor for further updates Use StopSecurity Enterprise client for detection Next Steps Check if affected packages are present in your project Submit reports to assist in investigation Avoid using potentially compromised packages References Related Link

Goal Reached Thanks to every supporter — we hit 100%!

npm Supply Chain Attack: Tampering in eslint-config-prettier and other packages with malicious code analysis