CVE-2025-54313 Information

Jul 20, 2025 cve

Description

eslint-config-prettier 8.10.1 9.1.1 10.1.6 and 10.1.7 has embedded malicious code for a supply chain compromise. Installing an affected package executes an install.js file that launches the node-gyp.dll malware on Windows.

Reference

https://github.com/prettier/eslint-config-prettier/issues/339 https://news.ycombinator.com/item?id=44608811 https://news.ycombinator.com/item?id=44609732 https://socket.dev/blog/npm-phishing-campaign-leads-to-prettier-tooling-packages-compromise https://www.bleepingcomputer.com/news/security/popular-npm-linter-packages-hijacked-via-phishing-to-drop-malware/ https://www.npmjs.com/package/eslint-config-prettier?activeTab=versions https://www.stepsecurity.io/blog/supply-chain-security-alert-eslint-config-prettier-package-shows-signs-of-compromise

CNNVD-202507-2520 (Published: 2025-07-19)

Share on:

CVE-2025-54313 Information

Description

Reference

Related CNNVD