eslint-config-prettier supply chain attack

Type

Incident

Actors

❓Unknown

Pub. date

Initial access

End-user compromiseSupply chain vector

Impact

Observed techniques

Phishing Supply Chain Compromise

References

https://github.com/advisories/GHSA-f29h-pxvx-f335https://nvd.nist.gov/vuln/detail/CVE-2025-54313https://github.com/prettier/eslint-config-prettier/issues/339

Status

Stub

Last edited

Oct 8, 2025 12:44 PM

Versions of eslint-config-prettier had malicious code introduced after the maintainer’s npm token was phished. eslint-plugin-prettier, synckit, got-fetch, napi-postinstall, and @pkgr/core were also impacted. The i