What is eslint-config-prettier?
eslint-config-prettier is an npm package that disables ESLint rules that would conflict with Prettier's code formatting. It is used by virtually every JavaScript/TypeScript project that combines ESLint (linting) with Prettier (formatting) — an extremely common combination in modern JavaScript development. With over 30 million weekly downloads at the time of the incident, it is one of the most widely used packages in the JavaScript ecosystem. It is typically installed as a development dependency and runs during npm install.
Overview
CVE-2025-54313 is an embedded malicious code (CWE-506) vulnerability in the eslint-config-prettier npm package. On July 18, 2025, an attacker stole the npm publish credentials of the package maintainer (JounQin) via a phishing attack using a typosquatted domain (npnjs.com impersonating npmjs.com). The attacker used the stolen token to publish trojanized versions containing a malicious install.js script and node-gyp.dll Windows malware. The payload executes at npm install time on Windows systems. The same attacker compromised related packages (eslint-plugin-prettier, synckit) owned by the same maintainer.
Affected Versions
| Package | Malicious Versions |
|---|---|
| eslint-config-prettier | 8.10.1, 9.1.1, 10.1.6, 10.1.7 |
| eslint-plugin-prettier | 4.2.2, 4.2.3 |
| synckit | 0.11.9 |
All malicious versions were deprecated on npm after discovery. Clean replacement versions were published.
Technical Details
The attack exploited the npm postinstall hook mechanism — npm install automatically executes scripts defined in a package's package.json under scripts.postinstall. The trojanized versions added:
install.js: An obfuscated postinstall script that runs automatically onnpm installnode-gyp.dll: A malicious Windows DLL placed in the package directory
The install.js script invokes node-gyp.dll via rundll32.exe — a standard Windows executable used to run DLL exports. The DLL executes on Windows systems only (the payload is a PE executable). The full capabilities of node-gyp.dll were not completely reversed publicly, but the malware performs Windows system reconnaissance and is assessed to have persistence and data exfiltration capabilities.
The attack delivery mechanism:
- Attacker phishes maintainer with
npnjs.com(typosquattednpmjs.com) → steals npm auth token - Uses token to
npm publishtrojanized versions - CI/CD pipelines and developer machines running
npm installautomatically executeinstall.js node-gyp.dllruns viarundll32, executing the Windows malware payload
Automated detection: RenovateBot — an automated dependency update bot — flagged a discrepancy between the npm package contents and the GitHub repository (the malicious files were not in git), alerting the security community within hours.
Discovery
RenovateBot detected the npm/GitHub discrepancy automatically on July 18, 2025. The maintainer confirmed the incident shortly after.
Exploitation Context
The 30+ million weekly download count made this a potentially massive supply chain incident. However, the Windows-only payload limited actual exploitation: many JavaScript developers work on macOS or Linux. CISA added the vulnerability to the KEV catalog on January 22, 2026, alongside CVE-2025-68645 and CVE-2025-34026 — indicating confirmed exploitation in the wild in CI/CD and developer environments.
Remediation
- Immediately remove malicious versions and upgrade to the next clean version of each affected package.
- Audit
node_modulesin all projects for the presence ofnode-gyp.dllandinstall.js— if found, treat the system as compromised. - Rotate all credentials accessible from any developer machine or CI/CD runner that ran
npm installwith the malicious versions: npm tokens, cloud provider credentials (AWS, GCP, Azure), SSH keys, code signing certificates. - Audit CI/CD runners for persistence mechanisms: unexpected scheduled tasks, services, or registry entries created by
node-gyp.dll. - Lock
package-lock.jsonand usenpm cirather thannpm installin CI/CD — this prevents installing newly published versions without review. - Enable npm audit in CI pipelines and act on supply chain alerts promptly.
- Review your npm credential management — use per-project tokens with minimal scopes; enable npm's two-factor authentication requirement for publishing.
Key Details
| Property | Value |
|---|---|
| CVE ID | CVE-2025-54313 |
| Vendor / Product | Prettier — eslint-config-prettier |
| NVD Published | 2025-07-19 |
| NVD Last Modified | 2026-01-23 |
| CVSS 3.1 Score | 7.5 |
| CVSS 3.1 Vector | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:H/A:N |
| Severity | HIGH |
| CWE | CWE-506 find similar ↗ |
| CISA KEV Added | 2026-01-22 |
| CISA KEV Deadline | 2026-02-12 |
| Known Ransomware Use | No |
CVSS 3.1 Breakdown
Required Action
Timeline
| Date | Event |
|---|---|
| 2025-07-18 | Maintainer JounQin's npm token stolen via phishing (typosquatted npnjs.com domain) |
| 2025-07-18 | Attacker publishes trojanized versions to npm |
| 2025-07-18 | RenovateBot detects npm/GitHub discrepancy; maintainer and security teams alerted |
| 2025-07-19 | CVE published; malicious versions deprecated |
| 2026-01-22 | Added to CISA Known Exploited Vulnerabilities catalog |
| 2026-02-12 | CISA BOD 22-01 remediation deadline |
References
| Resource | Type |
|---|---|
| GitHub Issue — Malicious Code in eslint-config-prettier (Incident Report) | Vendor Advisory |
| npm — eslint-config-prettier Version History | Vendor Advisory |
| NVD — CVE-2025-54313 | Vulnerability Database |
| CISA KEV Catalog Entry | US Government |
| Snyk — Maintainers of eslint/prettier Plugin Attacked via npm Supply Chain Malware | Security Research |
| ZeroPath — CVE-2025-54313 Supply Chain Malware Analysis | Security Research |