Headline
GHSA-f29h-pxvx-f335: eslint-config-prettier, eslint-plugin-prettier, synckit, @pkgr/core, napi-postinstall have embedded malicious code
eslint-config-prettier 8.10.1, 9.1.1, 10.1.6, and 10.1.7 has embedded malicious code for a supply chain compromise. Installing an affected package executes an install.js file that launches the node-gyp.dll malware on Windows.
- GitHub Advisory Database
- GitHub Reviewed
- CVE-2025-54313
eslint-config-prettier, eslint-plugin-prettier, synckit, @pkgr/core, napi-postinstall have embedded malicious code
High severity GitHub Reviewed Published Jul 19, 2025 to the GitHub Advisory Database • Updated Jul 21, 2025
Package
npm @pkgr/core (npm)
Affected versions
= 0.2.8
npm eslint-config-prettier (npm)
= 8.10.1
= 9.1.1
>= 10.1.6, <= 10.1.7
npm eslint-plugin-prettier (npm)
npm napi-postinstall (npm)
Description
Published to the GitHub Advisory Database
Jul 19, 2025
Last updated
Jul 21, 2025
Related news
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Thursday added four security flaws to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation in the wild. The list of vulnerabilities is as follows - CVE-2025-68645 (CVSS score: 8.8) - A PHP remote file inclusion vulnerability in Synacor Zimbra Collaboration Suite (ZCS) that could allow a
Fake npm website used in phishing attack to steal maintainer token, leading to malware in popular JavaScript packages like eslint-config-prettier.