CVE-2025-54313
published 2025-07-19CVE-2025-54313: eslint-config-prettier 8.10.1, 9.1.1, 10.1.6, and 10.1.7 has embedded malicious code for a supply chain compromise. Installing an affected package executes an…
PriorityP182high7.5CVSS 3.1
AVNACHPRNUINSCCLIHAN
KEVITW
CISA Known Exploited Vulnerabilitydue 2026-02-12
Exploited in the wild
EPSS
4.15%
89.6th percentile
eslint-config-prettier 8.10.1, 9.1.1, 10.1.6, and 10.1.7 has embedded malicious code for a supply chain compromise. Installing an affected package executes an install.js file that launches the node-gyp.dll malware on Windows.
Affected
20 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| alexghr | got-fetch | — | — |
| alexghr | got-fetch | — | — |
| alexghr | got-fetch | >= 5.1.11 < 6.0.0 | 6.0.0 |
| homarr | homarr | >= 1.29.0 < 1.30.0 | 1.30.0 |
| pkgr | core | >= 0.2.8 < 0.2.9 | 0.2.9 |
| prettier | eslint-config-prettier | — | — |
| prettier | eslint-config-prettier | — | — |
| prettier | eslint-config-prettier | — | — |
| prettier | eslint-config-prettier | — | — |
| prettier | eslint-config-prettier | >= 10.1.6 < 10.1.8 | 10.1.8 |
| prettier | eslint-config-prettier | >= 8.10.1 < 8.10.2 | 8.10.2 |
| prettier | eslint-config-prettier | >= 9.1.1 < 9.1.2 | 9.1.2 |
| prettier | eslint-plugin-prettier | — | — |
| prettier | eslint-plugin-prettier | — | — |
| prettier | eslint-plugin-prettier | >= 4.2.2 < 4.2.4 | 4.2.4 |
| un-ts | napi-postinstall | — | — |
| un-ts | napi-postinstall | >= 0.3.1 < 0.3.2 | 0.3.2 |
| un-ts | pkgr_core | — | — |
| un-ts | synckit | — | — |
| un-ts | synckit | >= 0.11.9 < 0.11.10 | 0.11.10 |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor for execution of 'install.js' during npm package installation, specifically from the eslint-config-prettier package directory, as this is the malicious installer script. ↗
- →Alert on the presence or execution of 'node-gyp.dll' in unexpected locations, particularly those spawned from npm install processes, as this is the malware payload dropped on Windows systems. ↗
- →Hunt for npm authentication token theft: the malware targets npm auth tokens, so monitor for suspicious reads of npm configuration files (e.g., .npmrc) or environment variables containing NPM_TOKEN. ↗
- →Audit installed npm packages for the specific malicious versions of eslint-config-prettier (8.10.1, 9.1.1, 10.1.6, 10.1.7) across all CI/CD pipelines and developer workstations. ↗
- ·The malware payload (node-gyp.dll) only executes on Windows systems; Linux/macOS environments are not affected by the DLL-based payload. ↗
- ·The supply chain compromise was introduced via hijacked npm package versions; only the four specific versions (8.10.1, 9.1.1, 10.1.6, 10.1.7) are malicious — other versions of eslint-config-prettier are not affected. ↗
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:H/A:N
vulncheck7.5HIGH
cisa7.5HIGH
vendor_redhat7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
eslint-config-prettier, eslint-plugin-prettier, synckit, @pkgr/core, napi-postinstall have embedded malicious code
osv·2025-07-19
CVE-2025-54313 [HIGH] eslint-config-prettier, eslint-plugin-prettier, synckit, @pkgr/core, napi-postinstall have embedded malicious code
eslint-config-prettier, eslint-plugin-prettier, synckit, @pkgr/core, napi-postinstall have embedded malicious code
eslint-config-prettier 8.10.1, 9.1.1, 10.1.6, and 10.1.7 has embedded malicious code for a supply chain compromise. Installing an affected package executes an install.js file that launches the node-gyp.dll malware on Windows.
GHSA
eslint-config-prettier, eslint-plugin-prettier, synckit, @pkgr/core, napi-postinstall have embedded malicious code
ghsa·2025-07-19
CVE-2025-54313 [HIGH] CWE-506 eslint-config-prettier, eslint-plugin-prettier, synckit, @pkgr/core, napi-postinstall have embedded malicious code
eslint-config-prettier, eslint-plugin-prettier, synckit, @pkgr/core, napi-postinstall have embedded malicious code
eslint-config-prettier 8.10.1, 9.1.1, 10.1.6, and 10.1.7 has embedded malicious code for a supply chain compromise. Installing an affected package executes an install.js file that launches the node-gyp.dll malware on Windows.
VulnCheck
Prettier eslint-config-prettier Embedded Malicious Code Vulnerability
vulncheck·2025·CVSS 7.5
CVE-2025-54313 [HIGH] CWE-506 Prettier eslint-config-prettier Embedded Malicious Code Vulnerability
Prettier eslint-config-prettier Embedded Malicious Code Vulnerability
Prettier eslint-config-prettier contains an embedded malicious code vulnerability. Installing an affected package executes an install.js file that launches the node-gyp.dll malware on Windows.
Affected: Prettier eslint-config-prettier
Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Exploitation References: https://www.endorlabs.com/learn/cve-2025-54313-eslint-config-prettier-compromise----high-severity-but-windows-only; https://safedep.io/eslint-config-prettier-major-npm-supply-chain-hack/; https://snyk.io/blog/maintainers-of-eslint-prettier-plugin-attacked-via-npm-supply-chain-malwar
CISA
Prettier eslint-config-prettier Embedded Malicious Code Vulnerability
cisa·2026-01-22·CVSS 7.5
CVE-2025-54313 [HIGH] CWE-506 Prettier eslint-config-prettier Embedded Malicious Code Vulnerability
Vulnerability: Prettier eslint-config-prettier Embedded Malicious Code Vulnerability
Affected: Prettier eslint-config-prettier
Prettier eslint-config-prettier contains an embedded malicious code vulnerability. Installing an affected package executes an install.js file that launches the node-gyp.dll malware on Windows.
Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Notes: This vulnerability could affect an open-source component, third-party library, protocol, or proprietary implementation that could be used by different products. For more information, please see: https://www.npmjs.com/package/eslint-config-prettier?activeTab=versions ; https://github.com
Red Hat
eslint-config-prettier: Eslint-config-prettier Supply Chain Compromise
vendor_redhat·2025-07-19·CVSS 7.5
CVE-2025-54313 [HIGH] CWE-506 eslint-config-prettier: Eslint-config-prettier Supply Chain Compromise
eslint-config-prettier: Eslint-config-prettier Supply Chain Compromise
eslint-config-prettier 8.10.1, 9.1.1, 10.1.6, and 10.1.7 has embedded malicious code for a supply chain compromise. Installing an affected package executes an install.js file that launches the node-gyp.dll malware on Windows.
A flaw was found in eslint-config-prettier. An affected version contains embedded malicious code that executes an `install.js` file during package installation. This script launches the `node-gyp.dll` malware on Windows systems, allowing a remote attacker to execute arbitrary code.
Statement: No affected versions of eslint-config-prettier are shipped in any Red Hat products.
Mitigation: Mitigation for this issue is either not available or the currently available options do not meet the Red Hat
No detection rules found.
No public exploits indexed.
Bleepingcomputer
CISA confirms active exploitation of four enterprise software bugs
blogs_bleepingcomputer·2026-01-23·CVSS 5.3
[MEDIUM] CISA confirms active exploitation of four enterprise software bugs
## CISA confirms active exploitation of four enterprise software bugs
## Bill Toulas
The Cybersecurity and Infrastructure Security Agency (CISA) in the U.S. warned of active exploitation of four vulnerabilities impacting enterprise software from Versa and Zimbra, the Vite frontend tooling framework, and the Prettier code formatter.
The security issues have been added to CISA’s KEV (Known Exploited Vulnerabilities) catalog, indicating that the agency has evidence that hackers are exploiting them in the wild.
One of the vulnerabilities is CVE-2025-31125 , a high-severity improper access control issue disclosed in March last year that can be exploited to expose non-allowed files when the server is explicitly exposed to the network.
The issue affects only exposed dev instances and has bee
Recorded Future
January 2026 CVE Landscape: 23 Critical Vulnerabilities Mark 5% Increase, APT28 Exploits Microsoft Office Zero-Day
blogs_recorded_future·CVSS 4.9
[MEDIUM] January 2026 CVE Landscape: 23 Critical Vulnerabilities Mark 5% Increase, APT28 Exploits Microsoft Office Zero-Day
# January 2026 CVE Landscape: 23 Critical Vulnerabilities Mark 5% Increase, APT28 Exploits Microsoft Office Zero-Day
January 2026 saw a modest 5% increase in high-impact vulnerabilities, with Recorded Future's Insikt Group® identifying 23 vulnerabilities requiring immediate remediation, up from 22 in December 2025. Noteworthy trends last month included Russian state-sponsored exploitation of a Microsoft Office zero-day and critical authentication bypass flaws affecting enterprise infrastructure.
What security teams need to know:
- APT28's Operation Neusploit: Russian state-sponsored actors exploited CVE-2026-21509 (Microsoft Office) via weaponized RTF files, delivering MiniDoor, PixyNetLoader, and Covenant Grunt implants
- Microsoft and SmarterTools lead concerns: These vendors accounte
Bugzilla
CVE-2025-54313 eslint-config-prettier: Eslint-config-prettier Supply Chain Compromise
bugzilla·2025-07-19·CVSS 7.5
CVE-2025-54313 [HIGH] CVE-2025-54313 eslint-config-prettier: Eslint-config-prettier Supply Chain Compromise
CVE-2025-54313 eslint-config-prettier: Eslint-config-prettier Supply Chain Compromise
eslint-config-prettier 8.10.1, 9.1.1, 10.1.6, and 10.1.7 has embedded malicious code for a supply chain compromise. Installing an affected package executes an install.js file that launches the node-gyp.dll malware on Windows.
https://github.com/prettier/eslint-config-prettier/issues/339https://news.ycombinator.com/item?id=44608811https://news.ycombinator.com/item?id=44609732https://socket.dev/blog/npm-phishing-campaign-leads-to-prettier-tooling-packages-compromisehttps://www.bleepingcomputer.com/news/security/popular-npm-linter-packages-hijacked-via-phishing-to-drop-malware/https://www.npmjs.com/package/eslint-config-prettier?activeTab=versionshttps://www.stepsecurity.io/blog/supply-chain-security-alert-eslint-config-prettier-package-shows-signs-of-compromisehttps://github.com/community-scripts/ProxmoxVE/discussions/6115https://www.endorlabs.com/learn/cve-2025-54313-eslint-config-prettier-compromise----high-severity-but-windows-onlyhttps://www.bleepingcomputer.com/news/security/popular-npm-linter-packages-hijacked-via-phishing-to-drop-malware/https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-54313
2025-07-19
Published
2026-01-22
Added to CISA KEV
Exploited in the wild