eslint-config-prettier 8.10.1-10.1.7 Supply Chain Compromise via install.js Malware
CVE-2025-54313 Published on July 19, 2025
eslint-config-prettier 8.10.1, 9.1.1, 10.1.6, and 10.1.7 has embedded malicious code for a supply chain compromise. Installing an affected package executes an install.js file that launches the node-gyp.dll malware on Windows.
Known Exploited Vulnerability
This Prettier eslint-config-prettier Embedded Malicious Code Vulnerability is part of CISA's list of Known Exploited Vulnerabilities. Prettier eslint-config-prettier contains an embedded malicious code vulnerability. Installing an affected package executes an install.js file that launches the node-gyp.dll malware on Windows.
The following remediation steps are recommended / required by February 12, 2026: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Weakness Type
Embedded Malicious Code
The application contains code that appears to be malicious in nature. Malicious flaws have acquired colorful names, including Trojan horse, trapdoor, timebomb, and logic-bomb. A developer might insert malicious code with the intent to subvert the security of an application or its host system at some time in the future. It generally refers to a program that performs a useful service but exploits rights of the program's user in a way the user does not intend.
Affected Versions
eslint-config-prettier:- Version 8.10.1 is affected.
- Version 9.1.1 is affected.
- Version 10.1.6 is affected.
- Version 10.1.7 is affected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.