Miggo Logo
Miggo Vulnerability Database
CVE-2025-54313

CVE-2025-54313: eslint-config-prettier, eslint-plugin-prettier, synckit, @pkgr/core, napi-postinstall have embedded malicious code

7.5

CVSS Score
3.1

Basic Information

CVE ID
CVE-2025-54313
GHSA ID
GHSA-f29h-pxvx-f335
EPSS Score
0.19349%
CWE
CWE-506
Published
7/19/2025
Updated
7/22/2025
KEV Status
No
Technology
TechnologyJavaScript

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:H/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
eslint-config-prettiernpm= 8.10.18.10.2
eslint-config-prettiernpm= 9.1.19.1.2
eslint-config-prettiernpm>= 10.1.6, <= 10.1.710.1.8
eslint-plugin-prettiernpm>= 4.2.2, <= 4.2.34.2.4
synckitnpm= 0.11.90.11.10
@pkgr/corenpm= 0.2.80.2.9
napi-postinstallnpm= 0.3.10.3.2
got-fetchnpm>= 5.1.11, <= 5.1.126.0.0

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability is a result of a supply chain attack where several popular npm packages were compromised and republished with malicious code. The attackers gained access to the npm accounts of the package maintainers and published new versions containing a malicious install.js script. This script was configured to run automatically after the package is installed via the postinstall hook in package.json.

The install.js script contains two primary functions: install and download. The install function acts as the entry point. It first checks if the host operating system is Windows. If it is, it proceeds to call the download function. The download function then fetches a malicious DLL file (node-gyp.dll) from a remote server and saves it to the local filesystem. Finally, the install function executes the downloaded DLL, completing the infection.

The provided git commits only show the patches, which consist of version bumps to non-malicious versions. The malicious code itself was never committed to the git repositories, a common tactic in supply chain attacks to evade detection. The identification of the vulnerable functions is based on the analysis of the malicious install.js script, as documented in the security blogs linked in the vulnerability details.

Vulnerable functions

install
install.js
This is the main function in the malicious `install.js` script. It is immediately executed when the script is run. It checks if the operating system is Windows and if so, proceeds to download and execute the malware. This function orchestrates the entire malicious payload delivery.
download
install.js
This function is responsible for downloading the malicious `node-gyp.dll` file from a hardcoded URL. It uses the `https` module to make a GET request to the attacker-controlled server. This function is a key part of the malware delivery mechanism.

WAF Protection Rules

WAF Rule

*slint-*on*i*-pr*tti*r *.**.*, *.*.*, **.*.*, *n* **.*.* **s *m****** m*li*ious *o** *or * supply ***in *ompromis*. Inst*llin* *n *****t** p**k*** *x**ut*s *n inst*ll.js *il* t**t l*un***s t** no**-*yp.*ll m*lw*r* on Win*ows.

Reasoning

T** vuln*r**ility is * r*sult o* * supply ***in *tt**k w**r* s*v*r*l popul*r npm p**k***s w*r* *ompromis** *n* r*pu*lis*** wit* m*li*ious *o**. T** *tt**k*rs **in** ****ss to t** npm ***ounts o* t** p**k*** m*int*in*rs *n* pu*lis*** n*w v*rsions *ont