CVE-2025-54313
7.53.54%
CVE-2025-54313: The Trojan Horse in Your Linter
Amit Schendel
Senior Security ResearcherJan 23, 2026·6 min read·5 visits
Active ExploitationCISA KEV Listed
Executive Summary (TL;DR)
Attackers hijacked the `eslint-config-prettier` NPM package via phishing. They pushed versions containing a malicious `install.js` script. When you run `npm install`, this script executes and, on Windows machines, uses `rundll32.exe` to launch a bundled malicious library named `node-gyp.dll`. Update immediately to version 10.1.8+.
A sophisticated supply chain attack targeting the popular `eslint-config-prettier` package. Attackers compromised maintainer accounts to inject malicious code that executes via NPM lifecycle hooks, dropping a malicious DLL on Windows systems.
Official Patches
Technical Appendix
CVSS Score
7.5/ 10
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:H/A:NEPSS Probability
3.54%
Top 13% most exploited
Affected Systems
Node.js EnvironmentsWindows WorkstationsCI/CD Pipelines (Windows Runners)
Affected Versions Detail
| Product | Affected Versions | Fixed Version |
|---|---|---|
eslint-config-prettier Prettier | 8.10.1, 9.1.1, 10.1.6, 10.1.7 | 10.1.8 |
eslint-plugin-prettier Prettier | 4.2.2 - 4.2.3 | 4.2.4 |
synckit pkgr | 0.11.9 | 0.11.10 |
| Attribute | Detail |
|---|---|
| CVE ID | CVE-2025-54313 |
| CVSS | 7.5 (High) |
| Attack Vector | Network (Supply Chain) |
| Impact | Integrity, Remote Code Execution |
| Platform | Windows (Primary Payload) |
| KEV Status | Listed (Jan 2026) |
MITRE ATT&CK Mapping
CWE-506
Embedded Malicious Code
The product contains code that appears to be malicious in nature.
Vulnerability Timeline
Malicious versions published to NPM
2025-07-18
Community detects anomaly; Issue #339 opened
2025-07-18
CVE-2025-54313 assigned
2025-07-19
Added to CISA KEV Catalog
2026-01-22
Subscribe to updates
Get the latest CVE analysis reports delivered to your inbox.