The initially reported malicious versions of the hijacked npm package eslint-config-prettier are 8.10.1, 9.1.1, 10.1.6, and 10.1.7. However, our analysis reveals version 10.1.6 is actually SAFE.
The npm package eslint-config-prettier was hijacked due to a phishing attack (CVE-2025-54313). This package has over 30M weekly downloads, making this a significant supply chain risk. Several more packages by the same maintainer were also hijacked, including eslint-plugin-prettier, synckit, @pkgr/core, and napi-postinstall.
Attackers injected a malicious install script into the packages that executes bundled malware (node-gyp.dll) on Windows systems. Version 10.1.6, while its package.json was modified by the attacker, does not contain the malicious install script or dll payload.
We've updated the Xray database and the JFrog Catalog to reflect the correct list of affected versions, ensuring our clients receive accurate alerts regarding malicious packages.