Hijaked upstream library
Package
No package listed
Affected versions
1.29.0
1.29.1
Patched versions
1.30.0
1.30.0
Description
Credits
-
outslept Reporter
-
Meierschlumpf Remediation developer
-
manuel-rw Remediation verifier
Impact
An upstream library has been hijacked and malware has been injected into the library.
The malicious actor used a phishing email to gain access to a publishing token and published the malicious version to npmjs.org.
The DDL content is unknown, likely malicious. It likely attempts to establish RCE.
The exploit affects Windows only. It only affects when you have
pnpm<10ornpm/yarn.It also only affects when developing and installing dependencies, not the production container.
Patches
Upgrade to 1.30.0 immediately.
Workarounds
npmjs.org has taken down the compromised versions, but you still might have them on your local system.
References
See prettier/eslint-config-prettier#339 , https://x.com/probably_coding/status/1946275583958106232 , https://socket.dev/blog/npm-phishing-campaign-leads-to-prettier-tooling-packages-compromise , https://www.endorlabs.com/learn/cve-2025-54313-eslint-config-prettier-compromise----high-severity-but-windows-only