CVE-2025-54313: Supply Chain Attack Hits eslint-config-prettier with Malware

A critical supply chain vulnerability has been discovered affecting the popular eslint-config-prettier package. Versions 8.10.1, 9.1.1, 10.1.6, and 10.1.7 were compromised with malicious code, potentially impacting numerous projects that rely on this package.

🔍 TL;DR Summary

Compromised versions of eslint-config-prettier contain malicious code that executes a node-gyp.dll malware on Windows systems during installation. This poses a significant supply chain risk, potentially allowing attackers to compromise developer machines and inject malicious code into applications.

🚨 Vulnerability Details

• CVE ID: CVE-2025-54313
• Description: eslint-config-prettier versions 8.10.1, 9.1.1, 10.1.6, and 10.1.7 have embedded malicious code for a supply chain compromise. Installing an affected package executes an install.js file that launches the node-gyp.dll malware on Windows.
• CVSS Score and Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:H/A:N (Score: 7.5, High Severity)
• CVSS Explanation: This vulnerability has a high attack complexity because successful exploitation relies on specific environmental conditions or unusual configurations, potentially requiring social engineering or other techniques to succeed. Although no user interaction is needed, the scope is changed due to the malware's ability to impact other components or systems beyond the vulnerable package itself. Confidentiality is low, meaning there's limited data exposure, while integrity is highly impacted as the attacker can modify critical data or system configurations. Availability is not impacted.
• Exploit Requirements: An attacker needs to compromise the eslint-config-prettier package or its dependencies and trick users into installing the malicious versions. The target system must be running Windows for the node-gyp.dll malware to execute.
• Affected Vendor, Product, Version:
  • Vendor: eslint-config-prettier
  • Product: eslint-config-prettier
  • Versions: 8.10.1, 9.1.1, 10.1.6, 10.1.7
• CWE: CWE-506 - Malicious Code Injection
• CWE Explanation: CWE-506 refers to the insertion of malicious code into a software system. In this case, the attacker injected malicious code into the eslint-config-prettier package, leading to the execution of malware on affected systems.

📅 Timeline of Events

• YYYY-MM-DD (Approximate): Malicious code injected into eslint-config-prettier.
• 2025-07-19: CVE-2025-54313 assigned and vulnerability disclosed.

🧠 Exploitability & Real-World Risk

This vulnerability poses a significant risk due to the widespread use of eslint-config-prettier in JavaScript projects. Successful exploitation could lead to the compromise of developer workstations, allowing attackers to inject malicious code into the projects they are working on. This could result in supply chain attacks affecting end-users of the applications.

🛠️ Recommendations

• Immediately update to a safe version: Ensure you are using a version of eslint-config-prettier that is not affected by this vulnerability (i.e., a version other than 8.10.1, 9.1.1, 10.1.6, or 10.1.7).
• Perform a security audit: Review your project dependencies to identify and remove any compromised packages.
• Use a security scanner: Employ a security scanner to detect and prevent the installation of malicious packages from npm.
• Monitor your systems: Keep an eye on your systems for any suspicious activity that might indicate a compromise.

🧪 Technical Insight

The malicious code in the affected eslint-config-prettier versions executes an install.js script during installation. This script then launches the node-gyp.dll malware on Windows systems. This DLL is designed to perform malicious actions, such as stealing credentials or injecting code into running processes.

🙌 Credit to Researcher(s)

Credit to researchers and organizations who discovered and reported this vulnerability, including but not limited to Socket.dev and BleepingComputer.

🔗 References

• eslint-config-prettier Issue #339
• Hacker News Discussion
• Hacker News Discussion 2
• Socket.dev Blog Post
• BleepingComputer Article
• npm Package Versions
• StepSecurity Blog Post

🧵 Tags

#eslint-config-prettier #supplychain #malware #npm #javascript #security #vulnerability #CVE-2025-54313

Summary: eslint-config-prettier versions 8.10.1, 9.1.1, 10.1.6, and 10.1.7 contain malicious code that executes malware on Windows systems during installation, posing a significant supply chain risk. Update to a safe version immediately and audit your project dependencies.

CVE ID: CVE-2025-54313

Risk Analysis: Successful exploitation can compromise developer workstations, inject malicious code into projects, and lead to widespread supply chain attacks affecting end-users and their systems, resulting in data theft, system corruption, or further propagation of malware.

Recommendation: Update to a safe version of eslint-config-prettier immediately. Perform a security audit of your project dependencies and use a security scanner to detect and prevent the installation of malicious packages. Monitor your systems for any signs of compromise.

Timeline

• YYYY-MM-DD: Malicious code injected into eslint-config-prettier.
• 2025-07-19: CVE-2025-54313 assigned and vulnerability disclosed.

References

• https://github.com/prettier/eslint-config-prettier/issues/339
• https://news.ycombinator.com/item?id=44608811
• https://news.ycombinator.com/item?id=44609732
• https://socket.dev/blog/npm-phishing-campaign-leads-to-prettier-tooling-packages-compromise
• https://www.bleepingcomputer.com/news/security/popular-npm-linter-packages-hijacked-via-phishing-to-drop-malware/
• https://www.npmjs.com/package/eslint-config-prettier?activeTab=versions
• https://www.stepsecurity.io/blog/supply-chain-security-alert-eslint-config-prettier-package-shows-signs-of-compromise