cbcvebase.
CVE-2025-54313
published 2025-07-19

CVE-2025-54313: eslint-config-prettier 8.10.1, 9.1.1, 10.1.6, and 10.1.7 has embedded malicious code for a supply chain compromise. Installing an affected package executes an…

PriorityP182high7.5CVSS 3.1
AVNACHPRNUINSCCLIHAN
KEVITW
CISA Known Exploited Vulnerabilitydue 2026-02-12
Exploited in the wild
EPSS
4.15%
89.6th percentile
eslint-config-prettier 8.10.1, 9.1.1, 10.1.6, and 10.1.7 has embedded malicious code for a supply chain compromise. Installing an affected package executes an install.js file that launches the node-gyp.dll malware on Windows.

Affected

20 ranges
VendorProductVersion rangeFixed in
alexghrgot-fetch
alexghrgot-fetch
alexghrgot-fetch>= 5.1.11 < 6.0.06.0.0
homarrhomarr>= 1.29.0 < 1.30.01.30.0
pkgrcore>= 0.2.8 < 0.2.90.2.9
prettiereslint-config-prettier
prettiereslint-config-prettier
prettiereslint-config-prettier
prettiereslint-config-prettier
prettiereslint-config-prettier>= 10.1.6 < 10.1.810.1.8
prettiereslint-config-prettier>= 8.10.1 < 8.10.28.10.2
prettiereslint-config-prettier>= 9.1.1 < 9.1.29.1.2
prettiereslint-plugin-prettier
prettiereslint-plugin-prettier
prettiereslint-plugin-prettier>= 4.2.2 < 4.2.44.2.4
un-tsnapi-postinstall
un-tsnapi-postinstall>= 0.3.1 < 0.3.20.3.2
un-tspkgr_core
un-tssynckit
un-tssynckit>= 0.11.9 < 0.11.100.11.10

Detection & IOCsextracted from sources · hover to see the quote

filenameinstall.js
filenamenode-gyp.dll
versioneslint-config-prettier 8.10.1
versioneslint-config-prettier 9.1.1
versioneslint-config-prettier 10.1.6
versioneslint-config-prettier 10.1.7
  • Monitor for execution of 'install.js' during npm package installation, specifically from the eslint-config-prettier package directory, as this is the malicious installer script.
  • Alert on the presence or execution of 'node-gyp.dll' in unexpected locations, particularly those spawned from npm install processes, as this is the malware payload dropped on Windows systems.
  • Hunt for npm authentication token theft: the malware targets npm auth tokens, so monitor for suspicious reads of npm configuration files (e.g., .npmrc) or environment variables containing NPM_TOKEN.
  • Audit installed npm packages for the specific malicious versions of eslint-config-prettier (8.10.1, 9.1.1, 10.1.6, 10.1.7) across all CI/CD pipelines and developer workstations.
  • ·The malware payload (node-gyp.dll) only executes on Windows systems; Linux/macOS environments are not affected by the DLL-based payload.
  • ·The supply chain compromise was introduced via hijacked npm package versions; only the four specific versions (8.10.1, 9.1.1, 10.1.6, 10.1.7) are malicious — other versions of eslint-config-prettier are not affected.

CVSS provenance

nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:H/A:N
vulncheck7.5HIGH
cisa7.5HIGH
vendor_redhat7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.