eslint-config-prettier Supply Chain Compromise Vulnerability Allowing Malware Installation on Windows

A supply chain vulnerability has been identified in the eslint-config-prettier npm package, specifically in versions 8.10.1, 9.1.1, 10.1.6, and 10.1.7. This vulnerability arises from a phishing attack that compromised the credentials of a package maintainer, allowing malicious versions to be published. The compromised versions include an install script that executes a Windows DLL known to be a trojan, potentially leading to unauthorized access or damage.

Impact

The vulnerability allows for the execution of malicious code on Windows systems, specifically the installation of a trojanized DLL that could be used for further exploitation.

Reproduction

The vulnerability can be reproduced by installing the affected versions of eslint-config-prettier. The malicious code in these versions is executed automatically upon installation, using a postinstall script that runs a DLL through a Windows system process.

Remediation

Users are advised to uninstall the compromised versions of eslint-config-prettier and replace them with version 10.1.5 or earlier. The maintainer has marked the malicious versions as deprecated and published a clean version. Additionally, enabling two-factor authentication on npm accounts and being cautious with dependency updates can help prevent similar incidents.