CVE-2025-54313
Published: 19 July 2025
Summary
CVE-2025-54313 is a high-severity Embedded Malicious Code (CWE-506) vulnerability in Microsoft Windows. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Compromise Software Dependencies and Development Tools (T1195.001); ranked in the top 6.3% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 CM-11 (User-installed Software) and SA-12 (Supply Chain Protection).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Establishes and implements supply chain protections to prevent compromises like the malicious eslint-config-prettier npm package embedding executable malware.
Detects and prevents counterfeit components such as the compromised npm package with embedded install.js launching node-gyp.dll malware.
Enforces organizational policies to restrict and monitor user-installed software, blocking installation of affected eslint-config-prettier versions that auto-execute malware on Windows.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Compromised npm package with embedded malicious install.js code directly enables supply chain compromise of dev dependencies (T1195.001) and automatic JavaScript execution on install (T1059.007).
NVD Description
eslint-config-prettier 8.10.1, 9.1.1, 10.1.6, and 10.1.7 has embedded malicious code for a supply chain compromise. Installing an affected package executes an install.js file that launches the node-gyp.dll malware on Windows.
Deeper analysisAI
CVE-2025-54313 is a supply chain compromise vulnerability affecting the eslint-config-prettier npm package in versions 8.10.1, 9.1.1, 10.1.6, and 10.1.7. These versions embed malicious code that executes upon installation. Specifically, the install.js file within the package launches node-gyp.dll malware on Windows systems. The issue is classified under CWE-506 (Embedded Malicious Code) with a CVSS v3.1 base score of 7.5 (AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:H/A:N) and was published on 2025-07-19.
Remote attackers can exploit this vulnerability by compromising the npm package supply chain, requiring no user privileges (PR:N) but high attack complexity (AC:H). Exploitation occurs automatically when developers or systems install one of the affected package versions on Windows, leading to malware execution. This grants attackers low-level confidentiality access (C:L), high integrity compromise (I:H) such as code injection or persistence, no direct availability impact (A:N), and scope expansion (S:C) through the malware payload.
Advisories and reports, including the GitHub issue at https://github.com/prettier/eslint-config-prettier/issues/339, Socket.dev blog at https://socket.dev/blog/npm-phishing-campaign-leads-to-prettier-tooling-packages-compromise, and BleepingComputer article at https://www.bleepingcomputer.com/news/security/popular-npm-linter-packages-hijacked-via-phishing-to-drop-malware/, along with Hacker News discussions, provide details on the incident and recommend avoiding the affected versions.
This vulnerability is part of a broader npm phishing campaign targeting Prettier-related linter tooling packages, as highlighted in the referenced security analyses.
Details
- CWE(s)
- KEV Date Added
- 22 January 2026