Security
Headlines
HeadlinesLatestCVEs

Headline

GHSA-f29h-pxvx-f335: eslint-config-prettier, eslint-plugin-prettier, synckit, @pkgr/core, napi-postinstall have embedded malicious code

eslint-config-prettier 8.10.1, 9.1.1, 10.1.6, and 10.1.7 has embedded malicious code for a supply chain compromise. Installing an affected package executes an install.js file that launches the node-gyp.dll malware on Windows.

ghsa
Open in Source
#windows#nodejs#js#git
  1. GitHub Advisory Database
  2. GitHub Reviewed
  3. CVE-2025-54313

eslint-config-prettier, eslint-plugin-prettier, synckit, @pkgr/core, napi-postinstall have embedded malicious code

High severity GitHub Reviewed Published Jul 19, 2025 to the GitHub Advisory Database • Updated Jul 21, 2025

Package

npm @pkgr/core (npm)

Affected versions

= 0.2.8

npm eslint-config-prettier (npm)

= 8.10.1

= 9.1.1

>= 10.1.6, <= 10.1.7

npm eslint-plugin-prettier (npm)

npm napi-postinstall (npm)

Description

Published to the GitHub Advisory Database

Jul 19, 2025

Last updated

Jul 21, 2025

Related news

Fake npm Website Used to Push Malware via Stolen Token

Fake npm website used in phishing attack to steal maintainer token, leading to malware in popular JavaScript packages like eslint-config-prettier.

ghsa: Latest News

GHSA-xqpg-92fq-grfg: `pyLoad` has Path Traversal Vulnerability in `json/upload` Endpoint that allows Arbitrary File Write
ghsa