CVE-2025-54313: npm Linter Package Hijacked

CVE ID: CVE-2025-54313

Severity: HIGH | CVSS: 7.5

Sources: 2 different security sources

Status: ACTIVELY EXPLOITED - Added to CISA KEV Catalog

Let Me Explain What Happened

Let me walk you through something concerning that happened in the JavaScript development community. The popular npm package eslint-config-prettier - a tool that millions of developers use to format their code - was compromised by attackers who injected malicious code into several versions. If you're a Windows developer who installed versions 8.10.1, 9.1.1, 10.1.6, or 10.1.7 of this package, your system may have automatically downloaded and executed malware called node-gyp.dll. Think of it like someone sneaking a key-copying device into a locksmith's toolkit - every time the locksmith thought they were just doing their normal work, they were unknowingly helping the attacker.

What makes this particularly serious is that CISA (the Cybersecurity and Infrastructure Security Agency) has added this vulnerability to their Known Exploited Vulnerabilities catalog, which means they have evidence that attackers are actively using this compromise in the wild right now.

A Bit More Detail

This is what we call a supply chain attack - one of the most effective ways attackers can reach many victims at once. Instead of breaking into individual computers, the attackers compromised the source that developers trust. When you ran npm install with one of the affected versions, the package's installation script (install.js) automatically executed, launching the malware payload. This happened silently in the background, without any obvious warning signs.

The attack specifically targets Windows systems, which is why you'll see the CVSS vector shows network-based attack with high attack complexity. The "high complexity" rating likely reflects that the attackers first had to successfully compromise the package maintainer's account - reports suggest this was done through a phishing campaign targeting the package maintainers.

The Technical Specifics

• Attack Vector: NETWORK (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:H/A:N)
• Affected Products: eslint-config-prettier versions 8.10.1, 9.1.1, 10.1.6, and 10.1.7
• Platform: Windows systems only
• CWE: CWE-506 (Embedded Malicious Code)
• Malware Payload: node-gyp.dll
• Execution Method: Automatic execution via install.js during package installation
• Attack Complexity: High (requires initial compromise of maintainer account via phishing)
• Scope: Changed (impacts resources beyond the vulnerable component)
• Impact: Low Confidentiality impact, High Integrity impact, No Availability impact

Understanding the Attack Chain

Let me break down how this attack unfolded, because understanding the sequence helps you protect against similar attacks in the future:

1. Initial Compromise: Attackers conducted a phishing campaign targeting the maintainers of prettier-related npm packages. This is the human element - even experienced developers can fall victim to sophisticated phishing attempts.
2. Package Poisoning: Once they had access to the maintainer's npm account, the attackers published malicious versions of eslint-config-prettier with embedded malware.
3. Automatic Execution: When developers installed these versions (either directly or as dependencies of other packages), the install.js script ran automatically as part of the normal npm installation process.
4. Malware Deployment: The install script launched node-gyp.dll on Windows systems, establishing the attacker's foothold.

What You Should Do About This

• Right Now - Immediate Actions:
  • Check your dependencies: Run npm list eslint-config-prettier in all your projects to see if you have any of the affected versions installed. Look for versions 8.10.1, 9.1.1, 10.1.6, or 10.1.7.
  • Search your lock files: Check your package-lock.json or yarn.lock files for these specific versions, as they might be installed as transitive dependencies (dependencies of your dependencies).
  • If you find affected versions: Assume compromise on any Windows system where these versions were installed. Immediately isolate affected systems from your network if possible.
  • Hunt for the malware: Search for node-gyp.dll on all Windows development machines. This file should not exist in legitimate installations - its presence indicates compromise.
  • Review recent installations: Check your npm install logs and command history for any installations that occurred during the compromise window (you'll need to check the exact dates from the npm package version history).
• For Remediation:
  • Remove malicious versions: Uninstall any affected versions immediately using npm uninstall eslint-config-prettier.
  • Install clean version: The legitimate maintainers have released clean versions. Install a verified safe version (check the official GitHub repository for the latest safe version number).
  • Clear npm cache: Run npm cache clean --force to ensure no cached malicious packages remain.
  • Scan for malware: Run a full antivirus scan on any Windows systems that had the affected versions installed. Look specifically for node-gyp.dll and any associated processes.
  • Review system logs: Check Windows Event Logs and any security monitoring tools for suspicious activity during the time the malicious package was installed.
  • Rotate credentials: If you stored any credentials, API keys, or secrets on affected systems, rotate them immediately. The malware's full capabilities aren't publicly documented, so assume potential credential theft.
• For the Long Term - Prevention:
  • Enable npm audit: Make npm audit part of your regular workflow and CI/CD pipeline. Run it before deploying any code.
  • Use lock files: Always commit your package-lock.json or yarn.lock files to version control. This ensures you're installing the exact versions you tested, not automatically pulling new (potentially compromised) versions.
  • Consider package signing verification: Tools like Socket.dev and Snyk can help monitor your dependencies for suspicious changes and malicious code.
  • Implement least privilege: Don't run npm install with administrator privileges unless absolutely necessary. This limits the damage malicious install scripts can do.
  • Monitor package changes: Use tools that alert you when dependencies change unexpectedly, especially for critical packages in your supply chain.
  • Security awareness training: Since this attack began with phishing, ensure your development team receives regular training on recognizing phishing attempts, especially those targeting developer accounts.
  • Enable 2FA: Require two-factor authentication on all npm accounts, especially for package maintainers. This makes account compromise significantly harder.

Detection Guidance

If you're a security team member looking to hunt for this compromise in your environment, here are some specific indicators and queries:

File System Indicators:

# Search for the malicious DLL
Get-ChildItem -Path C:\ -Filter "node-gyp.dll" -Recurse -ErrorAction SilentlyContinue

# Check npm cache and node_modules directories specifically
Get-ChildItem -Path "$env:APPDATA\npm-cache" -Filter "node-gyp.dll" -Recurse -ErrorAction SilentlyContinue
Get-ChildItem -Path ".\node_modules" -Filter "node-gyp.dll" -Recurse -ErrorAction SilentlyContinue

Package Audit:

# Check for affected versions in current project
npm list eslint-config-prettier

# Audit all dependencies for known vulnerabilities
npm audit

# Search package-lock.json for affected versions
grep -E "eslint-config-prettier.*(8\.10\.1|9\.1\.1|10\.1\.6|10\.1\.7)" package-lock.json

SIEM/EDR Queries:

If you have endpoint detection or SIEM tools, look for:

• Process creation events where node.exe spawned processes that loaded node-gyp.dll
• File creation events for node-gyp.dll in unusual locations
• Network connections initiated by Node.js processes during or after npm install operations
• npm install commands executed during the compromise timeframe

Why This Matters Beyond This Specific Case

I want to take a moment to explain why this vulnerability represents a broader concern for all of us in the development community. Supply chain attacks like this are becoming increasingly common because they're incredibly efficient for attackers. By compromising one popular package, they can potentially reach thousands or millions of systems automatically.

The npm ecosystem, like many package managers, is built on trust. When you run npm install, you're trusting not just the package you're installing, but all of its dependencies, and all of their dependencies, and so on. This creates a large attack surface. The fact that CISA added this to their Known Exploited Vulnerabilities catalog tells us that this isn't just a theoretical concern - real attacks are happening right now.

What's particularly noteworthy about this attack is the phishing component. The attackers didn't find a technical vulnerability in npm's infrastructure - they targeted the human element. This reminds us that security isn't just about patching systems and writing secure code; it's also about awareness and vigilance against social engineering.

MITRE ATT&CK Mapping

For those of you who track threats using the MITRE ATT&CK framework, this attack maps to several techniques:

• T1195.002 - Supply Chain Compromise: Compromise Software Supply Chain: The primary technique, where attackers compromised the software distribution mechanism.
• T1566 - Phishing: Initial access to maintainer accounts was gained through phishing.
• T1059.007 - Command and Scripting Interpreter: JavaScript: The malicious install.js script executed during package installation.
• T1574.002 - Hijack Execution Flow: DLL Side-Loading: The node-gyp.dll malware payload.
• T1027 - Obfuscated Files or Information: The malicious code was embedded within what appeared to be a legitimate package update.

Where I Found This Information

• National Vulnerability Database - CVE-2025-54313 (Authoritative source for CVSS scoring and technical details)
• CISA Alert - Four Known Exploited Vulnerabilities Added to Catalog (Credibility: 10/10 - Confirms active exploitation)
• CISA Known Exploited Vulnerabilities Catalog - CVE-2025-54313 (Credibility: 10/10 - Official KEV listing with required actions)
• GitHub Issue #339 - eslint-config-prettier (Community discussion and technical details)
• Socket.dev Analysis - npm Phishing Campaign (Detailed technical analysis of the attack chain)
• BleepingComputer - npm Linter Packages Hijacked (News coverage and impact analysis)
• StepSecurity - Supply Chain Security Alert (Early warning and indicators of compromise)
• Endor Labs - CVE-2025-54313 Analysis (Technical deep dive and Windows-specific impact)

Note: This is automated security intelligence based on multiple sources, including CISA's Known Exploited Vulnerabilities catalog. The active exploitation status means this threat is being used in real-world attacks right now. Prioritize checking your systems immediately, but always test remediation steps in a safe environment first before applying them to production systems. Stay safe out there, and remember - we're all in this together.